This section provides the following information for out-of-the-box policies available for Domain Name System (DNS)/Dynamic Host Configuration Protocol (DHCP).

  • Prerequisites: Lists the attributes required to support all out-of-the-box policies for DNS/DHCP.
  • Policy Overview: Lists the policy signature ID, description, criticality, and MITRE threat indicator.
  • Detailed Policy Description: Lists detailed information for each policy such as policy status, policy criticality, policy category, MITRE mapping, violation entity, named list, vendor specific use case, and required attributes.

Prerequisites

Before you can use any out-of-the-box policies, ensure you have the information for required attributes. This section lists the attributes required to support all out-of-the-box use cases for DNS/DHCP.

You can refer to the Detailed Policy Description to view specified attributes required for a policy.

Policy Overview

This section lists out-of-the-box policies available for DNS/DHCP. The policies are categorized based on the following:

  • Observables: Policies that need monitoring, as they might turn into a threat.
  • Sandbox: Policies that must be tested and fine-tuned based on your requirements.

Sandbox

Signature

Use Case name

Description

Criticality

MITRE Mapping

DNS-ALL-801-ERR

DHCP request from rare device

Indicates a malicious entity attempting to gain access to the internal network.

Technique Used: Behavior anomaly for rarity on network traffic.

None

System Network Configuration Discovery

DNS-ALL-810-TA

Rare DNS server used

Indicates an unauthorized or misconfigured DNS server.

Technique Used: Behavior anomaly on rare host for DNS traffic.

None

System Network Configuration Discovery

Detailed Use Case Description