Activity observed to a malicious domain

This rule is part of a beta feature. To learn more, contact Support.

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect activity to a malicious domain based on Datadog threat intelligence feeds.

Strategy

This rule lets you monitor DNS events where the @network.client.ip value has been categorized as malicious.

Triage and response

  1. Determine if {{@dns.question.name}} and @network.client.ip are anomalous within the organization:
    • Review DNS logs to confirm the requests to the malicious domain. Look for the frequency, timing, and any associated IP addresses.
    • Determine whether the requests are automated (e.g., malware or botnet) or manual (e.g., a user clicking a malicious link).
  2. If the DNS request is deemed malicious:
    • Begin your company’s incident response process.