Query Details

Netskope - DNS Tunneling via Long Hostnames

51 NK DNS Tunneling Long Hostnames

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| extend
    HostnameLength  = strlen(domain_s),
    SubdomainParts  = countof(domain_s, ".")
| where HostnameLength > 50 or SubdomainParts > 5
| summarize
    QueryCount       = count(),
    UniqueSubdomains = dcount(domain_s),
    LongestHostname  = max(HostnameLength),
    SampleDomains    = make_set(domain_s, 10),
    Users            = make_set(user_s, 10),
    SourceIPs        = make_set(srcip_s, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by srcip_s
| where QueryCount > 10
| order by LongestHostname desc, QueryCount desc

Explanation

This query is designed to detect potential DNS tunneling activity in Netskope traffic. DNS tunneling is a technique often used for command and control (C2) communication and slow data exfiltration by attackers. The query looks for DNS requests to domains with unusually long hostnames (more than 50 characters) or with a deep subdomain structure (more than 5 levels).

Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from Netskope Web Transactions.

  2. Time Frame: It examines data from the past day (24 hours).

  3. Criteria for Detection:

    • It checks if the domain name in the DNS request is longer than 50 characters.
    • It also checks if the domain has more than 5 subdomain levels.
  4. Analysis:

    • It counts the number of such requests from each source IP.
    • It identifies unique subdomains, the longest hostname, and samples of domains involved.
    • It also tracks which users and source IPs are making these requests.
  5. Alerting:

    • If a source IP makes more than 10 such requests, it triggers an alert.
    • The alert includes details like the source IP, the number of requests, and the longest hostname detected.
  6. Incident Management:

    • An incident is created for each alert.
    • Incidents are grouped by source IP to manage related alerts together.

The query is scheduled to run every hour and is considered high severity due to the potential security implications of DNS tunneling. It also maps to the MITRE ATT&CK technique T1071.004, which involves using DNS for application layer protocol communication.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeWebTx_CL

Keywords

NetskopeDNSTunnelingHostnamesDomainsSubdomainsCommunicationDataExfiltrationTrafficRequestsIndicatorsHostnameLengthSubdomainPartsQueryCountUniqueSubdomainsSampleDomainsUsersSourceIPsTimeGeneratedIPAddress

Operators

letdatatableunionisfuzzywhereagoisnotemptyextendstrlencountofsummarizecountdcountmaxmake_setminorder by

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub