Managed Sentinel – Alert 026

Alert IDMS-A026
Alert NameDNS Full Name anomalous lookup increase (Outlier)
DescriptionChecking for a threefold increase or more of Full Name lookup per ClientIP for today based on daily average for the previous week. This can potentially identify excessive traffic to a given location that could be indicative of data transfer out of your network.
Source: Github - Microsoft
Severity LevelInformational
Threat IndicatorData Theft
MITRE ATT&CK TacticsCommand and Control
Exfiltration
Log sourcesDNS Logs
False PositivesUnknown
RecommendationsIt is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the WannaCry requests.
Quarantine suspected host and perform a full antimalware scan.