Netskope (Built-in) - DNS Tunneling via Long Hostnames
65 NK BI DNS Tunneling Long Hostnames
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string, dst_country_s:string, src_country_s:string, ccl_s:string, access_method_s:string, traffic_type_s:string)[];
union isfuzzy=true _NetskopeEmpty, NetskopeEvents_CL
| where TimeGenerated > ago(1d)
| where isnotempty(domain_s)
| extend
HostnameLength = strlen(domain_s),
SubdomainParts = countof(domain_s, ".")
| where HostnameLength > 50 or SubdomainParts > 5
| summarize
QueryCount = count(),
UniqueSubdomains = dcount(domain_s),
LongestHostname = max(HostnameLength),
SampleDomains = make_set(domain_s, 10),
Users = make_set(user_s, 10),
SourceIPs = make_set(srcip_s, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by srcip_s
| where QueryCount > 10
| order by LongestHostname desc, QueryCount descExplanation
This query is designed to detect potential DNS tunneling activities by analyzing DNS requests for unusual patterns. Here's a simplified breakdown:
-
Purpose: The query identifies DNS requests to domains with either very long hostnames (more than 50 characters) or a high number of subdomain levels (more than 5). These characteristics can indicate DNS tunneling, a technique often used for data exfiltration or command and control communication.
-
Data Source: It uses data from the
NetskopeEvents_CLtable, which is part of the Netskope data connector. -
Frequency and Scope: The query runs every hour and examines data from the past day.
-
Logic:
- It first checks for non-empty domain fields.
- It calculates the length of each hostname and the number of subdomain parts.
- It filters for domains that exceed the specified length or subdomain count.
- It summarizes the data by source IP, counting the number of queries, unique subdomains, and the longest hostname observed.
- It only considers source IPs with more than 10 such queries.
-
Output: The results are ordered by the longest hostname and the number of queries. It also captures sample domains, users, and source IPs involved.
-
Alerting: If the conditions are met, an alert is generated with details about the source IP, the number of requests, and the maximum hostname length. The alert is configured to create an incident, grouping by IP if multiple alerts are related.
-
Severity and Tactics: The severity is marked as high, and it aligns with the MITRE ATT&CK technique T1071.004, which involves using DNS for command and control.
Overall, this query helps in identifying suspicious DNS activities that could indicate malicious behavior, allowing for further investigation and response.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D