DNSFilter threat request allowed

This rule is part of a beta feature. To learn more, contact Support.
dnsfilter

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Trigger an alert when allowed threat requests are detected.

Strategy

This rule continuously monitors DNSFilter traffic logs and triggers an alert when allowed threat requests are detected. It helps identify devices that may be accessing harmful domains because of weak or misconfigured DNS policies.

Triage and Response

  1. Identify the request address {{@network.client.ip}} making the allowed threat-flagged DNS requests and review the accessed domain.
  2. Review the threat categories involved to understand the nature of the risk.
  3. Check the policy {{@policy_name}} applied to the source to determine why these threats were not blocked.
  4. If threats are severe, isolate the system, run a malware scan, and block the domain or IP.
  5. Update DNSFilter blocklists or filtering policies as needed, and continue monitoring for recurring blocked activity.
  6. Conduct user awareness training if needed, focusing on safe browsing habits and how to avoid suspicious links.