APIs (Application Programming Interfaces) enable integration and automation across different vendor platforms within a SOAR (Security Orchestration, Automation, and Response) solution. They allow security tools to communicate and execute automated actions, making them essential for orchestrating responses across diverse systems and platforms. While STIX/TAXII provides standards for threat information sharing, and data enrichment enhances context, APIs are the primary means of enabling cross-platform automation, as recommended in CompTIA CySA+ materials on SOAR operations.

DNS exfiltration is a technique that uses the DNS protocol to transfer data from a compromised network or device to an attacker-controlled server. DNS exfiltration can bypass firewall rules and security products that do not inspect DNS traffic. The characteristics of the suspicious DNS traffic in the question match the indicators of DNS exfiltration, such as:
DNS traffic while a tunneling session is active: This implies that the DNS protocol is being used to create a covert channel for data transfer.
The mean time between queries is less than one second: This implies that the DNS queries are being sent at a high frequency to maximize the amount of data transferred.
The average query length exceeds 100 characters: This implies that the DNS queries are encoding large amounts of data in the subdomains or other fields of the DNS packets.
Official References:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://resources.infosecinstitute.com/topic/bypassing-security-products-via-dns-data-exfiltration/
https://www.reddit.com/r/CompTIA/comments/nvjuzt/dns_exfiltration_explanation/

A rollback had been executed on the instance. If a database server is restored to a previous state, it may reintroduce a vulnerability that was previously fixed. This can happen due to backup and recovery operations, configuration changes, or software updates. A rollback can undo the patching or mitigation actions that were applied to remediate the vulnerability. References: Vulnerability Remediation: It's Not Just Patching, Section:
The Remediation Process; Vulnerability assessment for SQL Server, Section: Remediation

The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the- middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network.