KQL Search

This query is designed to help identify potential DNS tunneling activities, which is a technique often used by attackers to exfiltrate data from a compromised system to a command-and-control (C2) server. Here's a simplified explanation of what the query does:

1. Set a Threshold for DNS Hostname Length: The query defines a threshold (DNSHostnameLengthCheck) of 40 characters for the length of DNS hostnames. This is because DNS tunneling often involves unusually long hostnames.

2. Filter Device Events: It looks at device events from the past 30 days (Timestamp > ago(30d)) and specifically focuses on events where the action type is a DNS query response (ActionType == "DnsQueryResponse").

3. Extract and Check DNS Hostnames: The query extracts the DNS query string from the additional fields of the event data and converts it to a string (DNSHostQuery). It then filters these queries to only include those with a length greater than the defined threshold (strlen(DNSHostQuery) > DNSHostnameLengthCheck).

4. Summarize and Sort Results: It counts the number of distinct long DNS queries for each device (summarize DNSQueriedHost=dcount(DNSHostQuery) by DeviceName) and sorts the results in descending order based on the count (sort by DNSQueriedHost desc). This helps identify which devices have the most suspicious DNS activity.

5. Analyze Top Suspected Hosts: The comment at the end suggests looking for patterns in the DNS requests that resemble a sample provided. This sample shows a complex and structured DNS query, which is typical of DNS tunneling as it often encodes data within the hostname.

Overall, this query helps security analysts identify devices that may be using DNS tunneling for data exfiltration by highlighting those with an unusually high number of long DNS queries.