🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Suspicious DNS Activity

detectors

The Suspicious DNS Activity detectors identify attempts by threat actors to steal data by exfiltration over existing command and control channels. This detector monitors DNS activity for sequences and patterns indicative of possible DNS exfiltration or C2 communication over DNS to an attacker machine from a compromised host.

Suspicious DNS Activity Alert

Suspicious DNS Activity Alert

Requirements

This detector requires the following data sources, integrations, or schemas:

Inputs

Detections are from the following normalized sources:

Outputs

Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

Detector Testing

This detector does have a supported testing method.

See DNS Query Detector Testing.

FROM alert WHERE metadata.creator.detector.detector_id='app:detect:suspicious-dns'

References

 

On this page: