Managed Sentinel – Alert 242
| Alert ID | MS-A242 |
| Alert Name | Internal hosts querying large number of DNS servers |
| Description | This alert identifies internal hosts performing DNS queries against multiple DNS servers within a predefined time |
| Severity Level | Informational |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Exfiltration |
| Log sources | Firewall Traffic Logs Windows Logs |
| False Positives | Valid software, which uses DNS for transferring data Personal devices (BYOD) connected to Corporate network Wireless connected devices may tend to generated a lot of DNS traffic to unsanctioned servers |
| Recommendations | 1. Review internal system and identify any suspicious applications or processes running on it. 2. Perform a full AV/AM scan on the targeted machine. 3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server, and non-sanctioned DNS servers could be blocked 4. Additional review of the DNS servers events may be required to identify the source machine generating the high volume of DNS traffic. 5. Review the Corporate DNS & DHCP infrastructure and adjust any non-standard settings |