---
title: DNS traffic to Recorded Future identified malicious domain
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > DNS traffic to Recorded Future
  identified malicious domain
---

# DNS traffic to Recorded Future identified malicious domain

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:threat-intelTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1566-phishing](https://attack.mitre.org/techniques/T1566) 
## Goal{% #goal %}

Detect DNS traffic to domains identified as malicious by Recorded Future threat intelligence.

## Strategy{% #strategy %}

This rule monitors DNS activity (`@ocsf.class_uid:4003`) logs enriched with Recorded Future threat intelligence, triggering when a host attempts to resolve a domain flagged by Recorded Future.

## Triage & Response{% #triage--response %}

1. Identify the source host `{{@ocsf.src_endpoint.ip}}` that generated the DNS traffic.
1. Investigate whether the host has been compromised and is attempting to communicate with a known C2 infrastructure. Isolate the host if compromise is confirmed.
1. Review other network activity from the source IP around the same time for lateral movement or data exfiltration.