LoFP LoFP / it is possible that list of dynamic dns providers is outdated and/or that the url being requested is legitimate.

Techniques

Sample rules

Detect web traffic to dynamic domain providers

Description

This search looks for web connections to dynamic DNS providers.

Detection logic


| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `dynamic_dns_web_traffic` 
| `detect_web_traffic_to_dynamic_domain_providers_filter`