Overview

Systems on your organization's network should only be using designated internal DNS servers. DNS activity to unauthorized DNS servers could be an indication that a rogue host has been attached to the network or a legitimate host has been compromised. Unusual DNS traffic can also be a sign that a host has been misconfigured. Use this content pack to monitor DNS activity to help detect, monitor, and prevent attacks or other unwanted DNS traffic.

Content Pack Components

Alarms
  • DNS - DNS Changer IP Activity
Views

Provide more details into DNS requests and DNS types.

  • DNS NXDOMAIN View
  • DNS Query View
Reports

Give a daily summary of DNS-related events.

  • DNS - DNS Traffic
Correlation Rules

Includes a combination of both new and existing rules.

  • DNS - Communication with Malicious Host - Event or Flow
  • DNS - DNS Changer Activity - Event or Flow
  • DNS - GTI Communication with Malicious Host - Event or Flow
  • DNS - Local Host Communicating with External DNS Server - Flow
  • DNS - Multiple NXDomain Events
  • DNS - Multiple Recon Events from a Local Host
  • DNS - Multiple Recon Events from a Remote Host
  • DNS - Possible DNS Amplification Attack
  • DNS - Possible DNS Connection or Unauthorized DNS Server
  • DNS - Traffic with a Passive DNS-Known Malware Domain

Required Products

  • McAfee Enterprise Security Manager (ESM) 10.0.x, 9.6.x, 9.5.x
  • McAfee Advanced Correlation Engine (ACE) 10.0.x, 9.6.x, 9.5.x
  • Some rules require McAfee Global Threat Intelligence (GTI) in order to function properly.

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial