Systems on your organization's network should only be using designated internal DNS servers. DNS activity to unauthorized DNS servers could be an indication that a rogue host has been attached to the network or a legitimate host has been compromised. Unusual DNS traffic can also be a sign that a host has been misconfigured. Use this content pack to monitor DNS activity to help detect, monitor, and prevent attacks or other unwanted DNS traffic.

Content Pack Components


  • DNS - DNS Changer IP Activity


Provide more details into DNS requests and DNS types.

  • DNS Query View


Give a daily summary of DNS-related events.

  • DNS - DNS Traffic

Correlation Rules

Includes a combination of both new and existing rules.

  • DNS - Communication with Malicious Host - Event or Flow
  • DNS - DNS Changer Activity - Event or Flow
  • DNS - GTI Communication with Malicious Host - Event or Flow
  • DNS - Local Host Communicating with External DNS Server - Flow
  • DNS - Multiple NXDomain Events
  • DNS - Multiple Recon Events from a Local Host
  • DNS - Multiple Recon Events from a Remote Host
  • DNS - Possible DNS Amplification Attack
  • DNS - Possible DNS Connection or Unauthorized DNS Server
  • DNS - Traffic with a Passive DNS-Known Malware Domain

Required Products

  • McAfee Enterprise Security Manager (ESM) 11.x, 10.x
  • McAfee Advanced Correlation Engine (ACE) 11.x, 10.x
  • Some rules require McAfee Global Threat Intelligence (GTI) in order to function properly

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article


Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?