DNSFilter threat request allowed
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Trigger an alert when allowed threat requests are detected.
Strategy
This rule continuously monitors DNSFilter traffic logs and triggers an alert when allowed threat requests are detected. It helps identify devices that may be accessing harmful domains because of weak or misconfigured DNS policies.
Triage and Response
- Identify the request address
{{@network.client.ip}} making the allowed threat-flagged DNS requests and review the accessed domain. - Review the threat categories involved to understand the nature of the risk.
- Check the policy
{{@policy_name}} applied to the source to determine why these threats were not blocked. - If threats are severe, isolate the system, run a malware scan, and block the domain or IP.
- Update DNSFilter blocklists or filtering policies as needed, and continue monitoring for recurring blocked activity.
- Conduct user awareness training if needed, focusing on safe browsing habits and how to avoid suspicious links.
