Managed Sentinel – Alert 027
| Alert ID | MS-A027 |
| Alert Name | DNS high NXDomain count (Outlier) |
| Description | Clients with a high NXDomain count could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Source: Github - Microsoft |
| Severity Level | Low |
| Threat Indicator | Data Theft |
| MITRE ATT&CK Tactics | Command and Control Exfiltration |
| Log sources | DNS Logs |
| False Positives | Unknown |
| Recommendations | It is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the DNS requests. |