Automatic alert when a threat/malicious activity is detected by DNSFilter at one of your sites.
Hello voters! Would you take a few short minutes to fill out our survey regarding this feature? https://joshl2.typeform.com/to/k3zm4e
We want to make sure that everyone's voice is heard.
@Josh Lamb: done 👍
@Josh Lamb: Done. I've also added some notes below in response to Ken which are somewhat in line with some of the survey questions.
Thanks guys this is helpful insight here. I’ll run it past the dev team. We are thinking a once daily alert summary - I suppose it seems like mainly this would start with C&C activity.
@Ken Carnesi: Only thing about that would be if a machine is compromised and reaching out to a C&C server, we'd need to know right away, not waiting on a daily summary.
@Dave: so you think it’d be best for us to send the alert immediately even if we see a single request?
What if we see the activity, but we are blocking it for you. You’d still want the alert? And you’d want it just the first time?
Just curious, because if we are alerting even on C&C domains we’ve blocked for you it may become noise/a pester if we kept alerting until you fixed the problem creating the requests in the first place.
@Ken Carnesi: If there is a way to categorize as ultra-high-risk sites, which is basically only C&C servers, then yeah, I'd want to know right away. Maybe rate limit the number of emails, but it should be immediate, because that's a high probability you just got infected with something that needs immediate remediation. People generally don't stumble onto C&C servers like you can with all the various other categories.
@Dave: Cool - you think there’s any interest/point in text message alerts as well? Or is that just unrealistic/not useful?
@Ken Carnesi: as an option, sure. For us smaller players, sometimes a text is more quickly noticed than emails. Bigger firms I assume would have emails directed right into a ticket, so texting doesn't make as much sense for them.
@Ken Carnesi: Something worth considering is webhooks with customisable post data. That way we could construct things like Microsoft Teams alerts and have them delivered where we want.
I think we should be able to say "If X requests are made to X category in X time" send an alert. Give *us* control over how many alerts we get in a day.
One DNS block for something here and there isn't overly concerning, but if a site hits a blocked DNS record 30 times in a 30 second block, then we probably want to know about it.
Regarding your request how the feature could look like.
I don't want to get alarms for each blocked site. But it would be useful to get an alarm email if URLs known for command and control servers are blocked.
So basically alerts which tend to show that there are network internal infections.
2. Wish: Alerts if the amount of dns requests rises dramatically in a short time span.
Hope the is usefull
To everyone who upvoted this feature, we are looking to get started on a V1 of this idea. Could any of you please share with us what it is you are looking for/envision when you say you'd like automated threat alerts.
Our biggest concern is that we want this to be useful, actionable data and not just white noise. You can imagine that, with hundreds or thousands of domains visited per network, per day, it's going to be important to limit the scope of what these threat alerts should fire on.
Any insight would be greatly appreciated, so we can begin work on this and get it out soon!
@Ken Carnesi: Sudden contact with C&C servers would be a definite high alert item.
@Ken Carnesi: As everyone said : C&C alerts