Managed Sentinel – Alert 026

Alert IDMS-A026
Alert NameDNS Full Name anomalous lookup increase (Outlier)
DescriptionChecking for a threefold increase or more of Full Name lookup per ClientIP for today based on daily average for the previous week. This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network.
Source: Github - Microsoft
Severity LevelInformational
Threat IndicatorData Theft
MITRE ATT&CK TacticsCommand and Control
Log sourcesDNS Logs
False PositivesUnknown
RecommendationsIt is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the WannaCry requests.
Quarantine suspected host and perform a full antimalware scan.