Managed Sentinel – Alert 030
| Alert ID | MS-A030 |
| Alert Name | Excessive outbound DNS queries |
| Description | This is an outlier type of alert, which will alert when an internal machine generates a large volume of DNS queries towards an untrusted zone. Customer to provide thresholds based on specifics to local environment. |
| Severity Level | Low |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Persistence Defense Evasion Exfiltration |
| Log sources | Firewall Traffic Logs |
| False Positives | Valid software, which uses DNS for transferring data |
| Recommendations | 1. Review internal system and identify any suspicious applications or processes running on it. 2. Perform a full AV/AM scan on the targeted machine. 3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server. 4. Additional review of the DNS servers events may be required to identified the source machine generating the high volume of DNS traffic. |