Managed Sentinel – Alert 027

Alert IDMS-A027
Alert NameDNS high NXDomain count (Outlier)
DescriptionClients with a high NXDomain count could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorData Theft
MITRE ATT&CK TacticsCommand and Control
Log sourcesDNS Logs
False PositivesUnknown
RecommendationsIt is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the DNS requests.