Domain Watchlist
The Domain Watchlist (Blocklist) Detector uses a Secureworks Counter Threat Unit™ (CTU) Threat Intelligence curated list of suspicious domains and compares them to Domain Name System (DNS) telemetry collected via supported endpoint and syslog data sources. When a suspicious domain is identified in tenant telemetry an alert is generated. The alert contains the list the suspicious domain was sourced from, the reason it is suspicious, and the associated confidence value. If a domain exists on multiple lists, the number of lists shows within the Alert Summary. In addition, the Alert Description includes each list, reason, and confidence.
The Domain Watchlist Detector also uses correlation whereby any subsequent matches for the same domain are appended to an existing alert. This enables users to quickly see which hosts are communicating with the suspicious domain without having to manually search.
Note
Taegis™ NDR automatically downloads the list of Secureworks malicious domains and uses them within the reputation preprocessor to detect malicious domains in real-time.
Domain Watchlist Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- DNS, by way of any data source contributing to the DNS schema
Inputs ⫘
Detections are from the following normalized sources:
- DNS
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
This detector has no MITRE Mapping.
Detector Testing ⫘
This detector does have a supported testing method.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:domain_blacklist'
References ⫘
- Schemas