DNSFilter threat request allowed

This rule is part of a beta feature. To learn more, contact Support.
dnsfilter

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Trigger an alert when allowed threat requests are detected.

Strategy

This rule continuously monitors DNSFilter traffic logs and triggers an alert when allowed threat requests are detected. It helps identify devices that may be accessing harmful domains because of weak or misconfigured DNS policies.

Triage and Response

  1. Identify the request address {{@network.client.ip}} making the allowed threat-flagged DNS requests and review the accessed domain.
  2. Review the threat categories involved to understand the nature of the risk.
  3. Check the policy {{@policy_name}} applied to the source to determine why these threats were not blocked.
  4. If threats are severe, isolate the system, run a malware scan, and block the domain or IP.
  5. Update DNSFilter blocklists or filtering policies as needed, and continue monitoring for recurring blocked activity.
  6. Conduct user awareness training if needed, focusing on safe browsing habits and how to avoid suspicious links.