
Summary
The detection rule titled "Unusual Network Destination Domain Name" employs a machine learning job to identify atypical domain names accessed in network traffic. Unusual domain requests might indicate various malicious activities such as initial access through phishing, persistence mechanisms, command-and-control communications, or exfiltration of data by malware. The rule operates by monitoring network traffic for connections to rarely seen domains, which could signify our systems attempting to interact with potentially harmful resources. False positives may occur for legitimate, infrequent web activities, such as accessing unique vendor or support sites. The machine learning job linked to this rule needs to be enabled to analyze the network traffic continuously, and is set to run every 15 minutes using data collected over the past 45 minutes. Recommended investigation steps include cross-verifying flagged domain names against threat intelligence resources, analyzing related network traffic, and checking for any recent changes to user or system activities associated with those domains. In instances of confirmed malicious activity, isolation and thorough scanning of affected systems are key response actions.
Categories
- Network
- Endpoint
- Cloud
Data Sources
- Network Traffic
- User Account
- Application Log
Created: 2020-03-25