Threat Class | Threat Family | Description | Recommendation |
|---|---|---|---|
TI-DNST | COBALTSTRIKE | Threat Insight’s ML/AI algorithm has identified a Cobalt Strike C2 Beacon or Tunnel. Cobalt Strike is primarily used by pen testers but a malicious actor may use a hacked copy. | You may wish to investigate and/or block the domain. If the domain is being used by an authorized pentester, you may autorize the specific domain in a custom allow list. |
TI-DNST | Generic | Threat Insight’s ML/AI algorithm has identified DNS that looks like a DNS tunnel. This could be a C2 Channel or an attempt to exfiltrate data. Some legitimate services use DNS Tunnels to transmit data (particularly antivirus software), we maintain a list of benign DNS Tunnels and filter them out. We also look at the domain’s reputation and other metadata. | You may wish to investigate and/or block the domain. |
TI-DNSTN | Generic | Threat Insight’s ML/AI algorithm has identified DNS that NOTIONALLY looks like a DNS tunnel. However, there were no successfully resolved queries and the domain doesn't appear to be using it's only nameserver. This could be a C2 Channel or an attempt to exfiltrate data. Some legitimate services use DNS Tunnels to transmit data (particularly antivirus software), we maintain a list of benign DNS Tunnels and filter them out. | You may wish to investigate and/or block the domain. |
TI-DNST | X | Threat Insight’s ML/AI algorithm has identified DNS that looks like a DNS tunnel associated with X. X is software designed to <X specific information>. | You may wish to investigate and/or block the domain. |
TI-DGA | MYLOBOT | Threat Insight’s ML/AI algorithms has identified DNS that looks like the DGA MYLOBOT, to meet this criteria it must meet the general structure (such as length and tlds) of the DGA and exhibit letter combinations that are common the DGA MYLOBOT and rare for non-DGA MYLOBOT traffic. We also look at the domain’s reputation and other metadata. | You may wish to investigate and/or block the domain. |
TI-DGA | X | Threat Insight’s ML/AI algorithms has identified DNS that looks like a DGA X, to meet this criteria it must meet the general structure (such as length and tlds) of the DGA and exhibit letter combinations that are common the DGA X and rare for non-DGA X traffic. We also look at the domain’s reputation and other metadata. Currently X is Mylobot and Zloader. | We also look at the domain’s reputation and other metadata. You may wish to investigate and/or block the domain. |
TI-DGA | ZLOADER | Threat Insight’s ML/AI algorithms has identified DNS that looks like the DGA ZLOADER, to meet this criteria it must meet the general structure (such as length and tlds) of the DGA and exhibit letter combinations that are common the DGA ZLOADER and rare for non-DGA ZLOADER traffic. We also look at the domain’s reputation and other metadata. | You may wish to investigate and/or block the domain. |
TI-BOTNET | QTYPEANY | Threat Insight’s ML/AI algorithms have identified DNS behavior of a device that is similar to a BOTNET. In this case the device is sending an abnormally large number of qtype any queries to a domain and may therefore be participating in a Distributed Denial of Service attack. | You may wish to investigate the device making the queries. |
TI-BOTNET | NXDOMAIN | Threat Insight’s ML/AI algorithms have identified DNS behavior of a device that is similar to a BOTNET. In this case the device is sending an abnormally large number of queries to a domain with NXDOMAIN responses and may therefore be participating in a Distributed Denial of Service attack. | You may wish to investigate the device making the queries. |
TI-BOTNET | SERVFAIL | Threat Insight’s ML/AI algorithms have identified DNS behavior of a device that is similar to a BOTNET. In this case the device is sending an abnormally large number of queries to a domain with SERVFAIL responses and may therefore be participating in a Distributed Denial of Service attack. | You may wish to investigate the device making the queries. |
TI-CONFIGURATIONISSUE | NXDOMAIN | Threat Insight’s ML/AI algorithms have identified DNS behavior of a device that is making a high number of NXDOMAIN queries. | This is a configuration issue which while minor can hog resources and fill logs. |
TI-CONFIGURATIONISSUE | OPENRESOLVER | Threat Insight’s ML/AI algorithms have identified DNS behavior of a device that is similar to an open resolver, this means your name server will respond to DNS queries from devices outside your network. | This is a possible security risk, you should likely investigate your name server configuration, in some cases another device on your network may be forwarding the requests. |
TI-CONFIGURATIONISSUE | BROWSERMISCONFIGURATION | Threat Insight’s ML/AI algorithms have identified DNS behavior of a device that making a high number of wpad requests, this is a configuration issue which while minor can hog resources and fill logs. | You may wish to investigate the device making the queries. |
TI-CONFIGURATIONISSUE | FEEDIGNORED | Threat Insight’s ML/AI algorithms a domain in a TIDE Feed that was ignored by the policy engine. This normally happens due to policy misconfiguration. | You may wish to investigate the device making the queries. |
TI-MAJTHREAT | LowProfileC2Beacon | Threat Insight has identified DNS indicators queried related to a know Major Threat, LowProfileC2Beacon. | You may wish to investigate the device making the queries. |
TI-MAJTHREAT | mfa_smishing | Threat Insight has identified DNS indicators queried related to a know Major Threat, mfa_smishing. | You may wish to investigate the device making the queries. |
TI-ZERODAYDNS | DGA | Threat Insight has a new domain (never seen by infoblox) that appears to have characteristic of a DGA. | You may wish to investigate the device making the queries. |
TI- | LOOKALIKE | Threat Insight has a new domain (never seen by infoblox) that appears to be a lookalike domain. | You may wish to investigate the device making the queries. |
TI-ZERODAYDNS | EMERGENT | Threat Insight has a new domain (never seen by infoblox) that has a very recent registration date. | You may wish to investigate the device making the queries. |
TI-ZERODAYDNS | FIRSTSEEN | Threat Insight has a new domain (never seen by infoblox), the registration date is older than four days. | You may wish to investigate the device making the queries. |
TI-FIRSTQUERYINSPECTION | DGA | Threat Insight has a new domain (never seen by infoblox) that appears to have characteristic of a DGA. | You may wish to investigate the device making the queries. |
TI-FIRSTQUERYINSPECTION | EMERGENT | Threat Insight has a new domain (never seen by infoblox) that has a very recent registration date. | You may wish to investigate the device making the queries. |
TI-FIRSTQUERYINSPECTION | LOOKALIKE | Threat Insight has a new domain (never seen by infoblox) that appears to be a lookalike domain. | You may wish to investigate the device making the queries. |
TI-SPEARPHISH | LOOKALIKE | Threat Insight has a new (or reactivated) domain that appears to be a lookalike for domain actively used in customer network. | You may wish to investigate the device making the queries |
TI-SPEARPHISH | EMERGENT/ | Threat Insight has a new (or reactivated) domain that appears to be a change TLD for domain actively used in customer network. | You may wish to investigate the device making the queries |
LOOKALIKE THREAT | PHISHING | Threat Insight has a new lookalike threat that appears to be involved in phishing, | You may wish to investigate the device making the queries |
LOOKALIKE THREAT | SUSPICIOUS | Threat Insight has a new (or reactivated) domain that appears to be engaged in a suspicious activity. | You may wish to investigate the device making the queries |
TI-SUSPICIOUS | EMERGENTDOMAINS | Threat Insight has a new domain (never seen by infoblox) that appears to be engaged in a suspicious activity. | You may wish to investigate the device making the queries |
TI-MAJTHREAT | LOG4SHELL | Threat Insight has identified DNS indicators queried related to a know Major Threat, log4shell. | You may wish to investigate the device making the queries |
Manage space
Manage content
Integrations
App links