DNS traffic to Recorded Future identified malicious domain

This rule is part of a beta feature. To learn more, contact Support.
recorded-future

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1566-phishing

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect DNS traffic to domains identified as malicious by Recorded Future threat intelligence.

Strategy

This rule monitors DNS activity (@ocsf.class_uid:4003) logs enriched with Recorded Future threat intelligence, triggering when a host attempts to resolve a domain flagged by Recorded Future.

Triage & Response

  1. Identify the source host {{@ocsf.src_endpoint.ip}} that generated the DNS traffic.
  2. Investigate whether the host has been compromised and is attempting to communicate with a known C2 infrastructure. Isolate the host if compromise is confirmed.
  3. Review other network activity from the source IP around the same time for lateral movement or data exfiltration.