Netskope - DNS Tunneling via Long Hostnames
51 NK DNS Tunneling Long Hostnames
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| extend
HostnameLength = strlen(domain_s),
SubdomainParts = countof(domain_s, ".")
| where HostnameLength > 50 or SubdomainParts > 5
| summarize
QueryCount = count(),
UniqueSubdomains = dcount(domain_s),
LongestHostname = max(HostnameLength),
SampleDomains = make_set(domain_s, 10),
Users = make_set(user_s, 10),
SourceIPs = make_set(srcip_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by srcip_s
| where QueryCount > 10
| order by LongestHostname desc, QueryCount descExplanation
This query is designed to detect potential DNS tunneling activity in Netskope traffic. DNS tunneling is a technique often used for command and control (C2) communication and slow data exfiltration by attackers. The query looks for DNS requests to domains with unusually long hostnames (more than 50 characters) or with a deep subdomain structure (more than 5 levels).
Here's a simple breakdown of what the query does:
-
Data Source: It uses data from Netskope Web Transactions.
-
Time Frame: It examines data from the past day (24 hours).
-
Criteria for Detection:
- It checks if the domain name in the DNS request is longer than 50 characters.
- It also checks if the domain has more than 5 subdomain levels.
-
Analysis:
- It counts the number of such requests from each source IP.
- It identifies unique subdomains, the longest hostname, and samples of domains involved.
- It also tracks which users and source IPs are making these requests.
-
Alerting:
- If a source IP makes more than 10 such requests, it triggers an alert.
- The alert includes details like the source IP, the number of requests, and the longest hostname detected.
-
Incident Management:
- An incident is created for each alert.
- Incidents are grouped by source IP to manage related alerts together.
The query is scheduled to run every hour and is considered high severity due to the potential security implications of DNS tunneling. It also maps to the MITRE ATT&CK technique T1071.004, which involves using DNS for application layer protocol communication.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D