Managed Sentinel – Alert 057
| Alert ID | MS-A057 |
| Alert Name | Long DNS Query |
| Description | Length of DNS query can often be an indicator of suspicious activity. Regular domain names lengths are not too large whereas domain name query used for data exfiltration or tunneling can often be very large in size. This is because they could be encoded using base 64/32 etc. The query looks for Names that are more than 200 characters in length. Having said that there are also a lot of reputation feeds and some services like Spotify which used the DNS protocol to send information to external servers. Source: Github - Microsoft |
| Severity Level | Low |
| Threat Indicator | Data Theft |
| MITRE ATT&CK Tactics | Command and Control Exfiltration |
| Log sources | DNS Logs |
| False Positives | Valid internal services performing this type of DNS requests. Recommend to whitelist these applications. |
| Recommendations | It is recommended to review the Firewall\Webproxy logs in relation to the ClientIP making the DNS requests. |