Query Details
51 NK DNS Tunneling Long Hostnames
Query
id: b4c5d6e7-f8a9-4b0c-1d2e-3f4a5b6c7d8e
name: "Netskope - DNS Tunneling via Long Hostnames"
version: 1.0.0
kind: Scheduled
description: |
Detects DNS tunneling indicators in Netskope traffic by identifying requests to
domains with unusually long hostnames (>50 chars) or excessive subdomain depth (>5 levels).
DNS tunneling is used for C2 communication and slow data exfiltration.
MITRE ATT&CK: T1071.004 (DNS Application Layer Protocol)
severity: High
requiredDataConnectors:
- connectorId: NetskopeWebTransactions
dataTypes:
- NetskopeWebTx_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
query: |
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| extend
HostnameLength = strlen(domain_s),
SubdomainParts = countof(domain_s, ".")
| where HostnameLength > 50 or SubdomainParts > 5
| summarize
QueryCount = count(),
UniqueSubdomains = dcount(domain_s),
LongestHostname = max(HostnameLength),
SampleDomains = make_set(domain_s, 10),
Users = make_set(user_s, 10),
SourceIPs = make_set(srcip_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by srcip_s
| where QueryCount > 10
| order by LongestHostname desc, QueryCount desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: srcip_s
customDetails:
QueryCount: QueryCount
LongestHostname: LongestHostname
alertDetailsOverride:
alertDisplayNameFormat: "Netskope DNS Tunneling - {{srcip_s}} ({{LongestHostname}} char hostnames)"
alertDescriptionFormat: "Source IP {{srcip_s}} generated {{QueryCount}} requests with long hostnames (max {{LongestHostname}} chars). Possible DNS tunneling."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential DNS tunneling activity in Netskope traffic. DNS tunneling is a technique often used for command and control (C2) communication and slow data exfiltration by attackers. The query looks for DNS requests to domains with unusually long hostnames (more than 50 characters) or with a deep subdomain structure (more than 5 levels).
Here's a simple breakdown of what the query does:
-
Data Source: It uses data from Netskope Web Transactions.
-
Time Frame: It examines data from the past day (24 hours).
-
Criteria for Detection:
- It checks if the domain name in the DNS request is longer than 50 characters.
- It also checks if the domain has more than 5 subdomain levels.
-
Analysis:
- It counts the number of such requests from each source IP.
- It identifies unique subdomains, the longest hostname, and samples of domains involved.
- It also tracks which users and source IPs are making these requests.
-
Alerting:
- If a source IP makes more than 10 such requests, it triggers an alert.
- The alert includes details like the source IP, the number of requests, and the longest hostname detected.
-
Incident Management:
- An incident is created for each alert.
- Incidents are grouped by source IP to manage related alerts together.
The query is scheduled to run every hour and is considered high severity due to the potential security implications of DNS tunneling. It also maps to the MITRE ATT&CK technique T1071.004, which involves using DNS for application layer protocol communication.
Details
David Alonso
Released: April 16, 2026
Tables
Keywords
Operators