KQL Search

Query Details

65 NK BI DNS Tunneling Long Hostnames

Query

id: 4b5c6d7e-8f9a-4b0c-1d2e-3f4a5b6c7d8b
name: "Netskope (Built-in) - DNS Tunneling via Long Hostnames"
version: 1.0.0
kind: Scheduled
description: |
  Detects DNS tunneling indicators by identifying requests to domains with unusually
  long hostnames (>50 chars) or excessive subdomain depth (>5 levels).
  Uses the built-in NetskopeEvents_CL table.
  MITRE ATT&CK: T1071.004 (DNS Application Layer Protocol)
severity: High
requiredDataConnectors:
  - connectorId: NetskopeDataConnector
    dataTypes:
      - NetskopeEvents_CL
queryFrequency: PT1H
queryPeriod: P1D
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
query: |
  let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
  union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(domain_s)
  | extend
      HostnameLength  = strlen(domain_s),
      SubdomainParts  = countof(domain_s, ".")
  | where HostnameLength > 50 or SubdomainParts > 5
  | summarize
      QueryCount       = count(),
      UniqueSubdomains = dcount(domain_s),
      LongestHostname  = max(HostnameLength),
      SampleDomains    = make_set(domain_s, 10),
      Users            = make_set(user_s, 10),
      SourceIPs        = make_set(srcip_s, 10),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by srcip_s
  | where QueryCount > 10
  | order by LongestHostname desc, QueryCount desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: srcip_s
customDetails:
  QueryCount: QueryCount
  LongestHostname: LongestHostname
alertDetailsOverride:
  alertDisplayNameFormat: "Netskope BI DNS Tunneling - {{srcip_s}} ({{LongestHostname}} char hostnames)"
  alertDescriptionFormat: "Source IP {{srcip_s}} generated {{QueryCount}} requests with long hostnames (max {{LongestHostname}} chars)."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potential DNS tunneling activities by analyzing DNS requests for unusual patterns. Here's a simplified breakdown:

  1. Purpose: The query identifies DNS requests to domains with either very long hostnames (more than 50 characters) or a high number of subdomain levels (more than 5). These characteristics can indicate DNS tunneling, a technique often used for data exfiltration or command and control communication.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope data connector.

  3. Frequency and Scope: The query runs every hour and examines data from the past day.

  4. Logic:

    • It first checks for non-empty domain fields.
    • It calculates the length of each hostname and the number of subdomain parts.
    • It filters for domains that exceed the specified length or subdomain count.
    • It summarizes the data by source IP, counting the number of queries, unique subdomains, and the longest hostname observed.
    • It only considers source IPs with more than 10 such queries.

  5. Output: The results are ordered by the longest hostname and the number of queries. It also captures sample domains, users, and source IPs involved.

  6. Alerting: If the conditions are met, an alert is generated with details about the source IP, the number of requests, and the maximum hostname length. The alert is configured to create an incident, grouping by IP if multiple alerts are related.

  7. Severity and Tactics: The severity is marked as high, and it aligns with the MITRE ATT&CK technique T1071.004, which involves using DNS for command and control.

Overall, this query helps in identifying suspicious DNS activities that could indicate malicious behavior, allowing for further investigation and response.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsDomainHostnameSubdomainSourceIPUser

Operators

letdatatableunionisfuzzywhereagoisnotemptyextendstrlencountofsummarizecountdcountmaxmake_setminorder by

Actions