Managed Sentinel – Alert 242

Alert IDMS-A242
Alert NameInternal hosts querying large number of DNS servers
DescriptionThis alert identifies internal hosts performing DNS queries against multiple DNS servers within a predefined time
Severity LevelInformational
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsExfiltration
Log sourcesFirewall Traffic Logs
Windows Logs
False PositivesValid software, which uses DNS for transferring data
Personal devices (BYOD) connected to Corporate network
Wireless connected devices may tend to generated a lot of DNS traffic to unsanctioned servers
Recommendations1. Review internal system and identify any suspicious applications or processes running on it.
2. Perform a full AV/AM scan on the targeted machine.
3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server, and non-sanctioned DNS servers could be blocked
4. Additional review of the DNS servers events may be required to identify the source machine generating the high volume of DNS traffic.
5. Review the Corporate DNS & DHCP infrastructure and adjust any non-standard settings