Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6 we can think there is a kind of cover-channel communication attempt.
Source table → network.dns
Monitor TXT and ANY responses to detect infiltrations or possible reflection attacks.
Source table → network.dns
Detect a domain with a TLD, not in Mozilla TLD List.
Source table → domains.all
Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6, we can think there is a kind of cover-channel communication attempt.
Source table → network.dns
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE.
