Managed Sentinel – Alert 036
| Alert ID | MS-A036 |
| Alert Name | Internal hosts using unsanctioned DNS servers (Cisco ASA) |
| Description | Typically in any organizations, there is an internal DNS server used for all internal hosts. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies. Whitelist the public DNS servers, such as Google and OpenDNS. Customer to provide a list of sanctioned DNS server(s) used by internal systems. |
| Severity Level | Medium |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Persistence Command and Control Exfiltration |
| Log sources | Firewall Traffic Logs |
| False Positives | Valid software, which uses DNS for transferring data. Personal mobile devices used within corporate WIFI network. |
| Recommendations | 1. Review internal system and identify any suspicious applications or processes running on it. 2. Perform a full EDR scan on the targeted machine. 3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server. Additional review of the DNS servers events may be required to identified the source machine generating the high volume of DNS traffic. 4. Review perimeter firewall logs and understand the type of DNS requests sent out 5. Select the external DNS servers listed in this alert and match this with DNS Threat Intelligence lists |