Example: Unapproved Internet DNS Queries

Discussion created by securitysavy on Feb 24, 2012

Attached is a correlation rule (the logic anyway) for alerting on internet bound DNS queries, which may be indicitive of malware or policy violation.


Keep in mind you may trigger lots of alerts initially.  Customize as you need.