DNS traffic to Recorded Future identified malicious domain

This rule is part of a beta feature. To learn more, contact Support.
recorded-future

Classification:

threat-intel

Tactic:

TA0011-command-and-control

Technique:

T1566-phishing

Goal

Detect DNS traffic to domains identified as malicious by Recorded Future threat intelligence.

Strategy

This rule monitors DNS activity (@ocsf.class_uid:4003) logs enriched with Recorded Future threat intelligence, triggering when a host attempts to resolve a domain flagged by Recorded Future.

Triage & Response

  1. Identify the source host {{@ocsf.src_endpoint.ip}} that generated the DNS traffic.
  2. Investigate whether the host has been compromised and is attempting to communicate with a known C2 infrastructure. Isolate the host if compromise is confirmed.
  3. Review other network activity from the source IP around the same time for lateral movement or data exfiltration.