DNS traffic to Recorded Future identified malicious domain
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect DNS traffic to domains identified as malicious by Recorded Future threat intelligence.
Strategy
This rule monitors DNS activity (@ocsf.class_uid:4003) logs enriched with Recorded Future threat intelligence, triggering when a host attempts to resolve a domain flagged by Recorded Future.
Triage & Response
- Identify the source host
{{@ocsf.src_endpoint.ip}} that generated the DNS traffic. - Investigate whether the host has been compromised and is attempting to communicate with a known C2 infrastructure. Isolate the host if compromise is confirmed.
- Review other network activity from the source IP around the same time for lateral movement or data exfiltration.
