Managed Sentinel – Alert 242
|Alert Name||Internal hosts querying large number of DNS servers|
|Description||This alert identifies internal hosts performing DNS queries against multiple DNS servers within a predefined time|
|Threat Indicator||Improper Usage|
|MITRE ATT&CK Tactics||Exfiltration|
|Log sources||Firewall Traffic Logs|
|False Positives||Valid software, which uses DNS for transferring data|
Personal devices (BYOD) connected to Corporate network
Wireless connected devices may tend to generated a lot of DNS traffic to unsanctioned servers
|Recommendations||1. Review internal system and identify any suspicious applications or processes running on it. |
2. Perform a full AV/AM scan on the targeted machine.
3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server, and non-sanctioned DNS servers could be blocked
4. Additional review of the DNS servers events may be required to identify the source machine generating the high volume of DNS traffic.
5. Review the Corporate DNS & DHCP infrastructure and adjust any non-standard settings