DNSFilter threat request allowed

This rule is part of a beta feature. To learn more, contact Support.
dnsfilter

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Trigger an alert when allowed threat requests are detected.

Strategy

This rule continuously monitors DNSFilter traffic logs and triggers an alert when allowed threat requests are detected. It helps identify devices that may be accessing harmful domains because of weak or misconfigured DNS policies.

Triage and Response

  1. Identify the request address {{@network.client.ip}} making the allowed threat-flagged DNS requests and review the accessed domain.
  2. Review the threat categories involved to understand the nature of the risk.
  3. Check the policy {{@policy_name}} applied to the source to determine why these threats were not blocked.
  4. If threats are severe, isolate the system, run a malware scan, and block the domain or IP.
  5. Update DNSFilter blocklists or filtering policies as needed, and continue monitoring for recurring blocked activity.
  6. Conduct user awareness training if needed, focusing on safe browsing habits and how to avoid suspicious links.