Managed Sentinel – Alert 057

Alert IDMS-A057
Alert NameLong DNS Query
DescriptionLength of DNS query can often be an indicator of suspicious activity. Regular domain names lengths are not too large whereas domain name query used for data exfiltration or tunneling can often be very large in size. This is because they could be encoded using base 64/32 etc. The query looks for Names that are more than 200 characters in length. Having said that there are also a lot of reputation feeds and some services like Spotify which used the DNS protocol to send information to external servers.
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorData Theft
MITRE ATT&CK TacticsCommand and Control
Log sourcesDNS Logs
False PositivesValid internal services performing this type of DNS requests.
Recommend to whitelist these applications.
RecommendationsIt is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the DNS requests.