Managed Sentinel – Alert 023

Alert IDMS-A023
Alert NameDNS commonly abused TLDs (Top Level Domain)
DescriptionSome top level domains (TLDs) are more commonly associated with malware for a range of reasons - including how easy domains on these TLDs are to obtain. Many of these may be undesirable from an enterprise policy perspective. The clientCount column provides an initial insight into how widespread the domain usage is across the estate.
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorData Theft
MITRE ATT&CK TacticsCommand and Control
Log sourcesDNS Logs
False PositivesUnknown
RecommendationsInvestigate ClientIP which returned as anomalous. Run a virus/antimalware scan on suspected hosts. Monitor traffic logs in perimeter firewall for any outlier patterns.