Query Details

Netskope (Built-in) - DNS Tunneling via Long Hostnames

65 NK BI DNS Tunneling Long Hostnames

Query

let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| extend
    HostnameLength  = strlen(domain_s),
    SubdomainParts  = countof(domain_s, ".")
| where HostnameLength > 50 or SubdomainParts > 5
| summarize
    QueryCount       = count(),
    UniqueSubdomains = dcount(domain_s),
    LongestHostname  = max(HostnameLength),
    SampleDomains    = make_set(domain_s, 10),
    Users            = make_set(user_s, 10),
    SourceIPs        = make_set(srcip_s, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by srcip_s
| where QueryCount > 10
| order by LongestHostname desc, QueryCount desc

Explanation

This query is designed to detect potential DNS tunneling activities by analyzing DNS requests for unusual patterns. Here's a simplified breakdown:

  1. Purpose: The query identifies DNS requests to domains with either very long hostnames (more than 50 characters) or a high number of subdomain levels (more than 5). These characteristics can indicate DNS tunneling, a technique often used for data exfiltration or command and control communication.

  2. Data Source: It uses data from the NetskopeEvents_CL table, which is part of the Netskope data connector.

  3. Frequency and Scope: The query runs every hour and examines data from the past day.

  4. Logic:

    • It first checks for non-empty domain fields.
    • It calculates the length of each hostname and the number of subdomain parts.
    • It filters for domains that exceed the specified length or subdomain count.
    • It summarizes the data by source IP, counting the number of queries, unique subdomains, and the longest hostname observed.
    • It only considers source IPs with more than 10 such queries.
  5. Output: The results are ordered by the longest hostname and the number of queries. It also captures sample domains, users, and source IPs involved.

  6. Alerting: If the conditions are met, an alert is generated with details about the source IP, the number of requests, and the maximum hostname length. The alert is configured to create an incident, grouping by IP if multiple alerts are related.

  7. Severity and Tactics: The severity is marked as high, and it aligns with the MITRE ATT&CK technique T1071.004, which involves using DNS for command and control.

Overall, this query helps in identifying suspicious DNS activities that could indicate malicious behavior, allowing for further investigation and response.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

NetskopeEvents_CL

Keywords

NetskopeEventsDomainHostnameSubdomainSourceIPUser

Operators

letdatatableunionisfuzzywhereagoisnotemptyextendstrlencountofsummarizecountdcountmaxmake_setminorder by

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: PT1H

Period: P1D

Actions

GitHub