Goal

Detects DNS queries in OCSF DNS activity events where the queried domain matches Datadog Security Research threat intelligence as malicious or suspicious.

Strategy

This rule monitors OCSF DNS activity where class_uid is 4003, with threat enrichment where @threat_intel.results.source.name is Datadog Security Research, @threat_intel.results.intention is malicious or suspicious, and @threat_intel.indicators_matched is Domain.

Triage & Response

• Examine {{@ocsf.query.hostname}} and {{@ocsf.src_endpoint.ip}} against normal baselines for the subnet, resolver, or application path that issued the query.
• Review {{@ocsf.rcode_id}} and related answer fields on the event to see whether the name resolved and the data returned.
• Identify the asset or service behind {{@ocsf.src_endpoint.ip}} or {{@ocsf.src_endpoint.hostname}} when that hostname is populated.
• Check adjacent DNS and network activity from the same source around the alert window for unusual volume or related domains.
• Determine whether the query aligns with known software updates, security tooling, or sanctioned third-party services rather than unexpected client behavior.