---
title: >-
  DNS activity observed associated with a malicious domain identified by Datadog
  Security Research
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > DNS activity observed associated with a
  malicious domain identified by Datadog Security Research
---

# DNS activity observed associated with a malicious domain identified by Datadog Security Research

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:threat-intelTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1566-phishing](https://attack.mitre.org/techniques/T1566) 
## Goal{% #goal %}

Detects DNS queries in OCSF DNS activity events where the queried domain matches Datadog Security Research threat intelligence as malicious or suspicious.

## Strategy{% #strategy %}

This rule monitors OCSF DNS activity where `class_uid` is `4003`, with threat enrichment where `@threat_intel.results.source.name` is `Datadog Security Research`, `@threat_intel.results.intention` is `malicious` or `suspicious`, and `@threat_intel.indicators_matched` is `Domain`.

## Triage & Response{% #triage--response %}

- Examine `{{@ocsf.query.hostname}}` and `{{@ocsf.src_endpoint.ip}}` against normal baselines for the subnet, resolver, or application path that issued the query.
- Review `{{@ocsf.rcode_id}}` and related answer fields on the event to see whether the name resolved and the data returned.
- Identify the asset or service behind `{{@ocsf.src_endpoint.ip}}` or `{{@ocsf.src_endpoint.hostname}}` when that hostname is populated.
- Check adjacent DNS and network activity from the same source around the alert window for unusual volume or related domains.
- Determine whether the query aligns with known software updates, security tooling, or sanctioned third-party services rather than unexpected client behavior.