Skip to content

Traffic to Infected Domains (BlackListDomains)

Alert Purpose

This alert should be trigged on detecting malicious Domains.

Data Sources Needed

  • web access events

Description

  1. Rule1 - EventID = “event id for web access events“ AND “Accessed domain field” isinList @BlackListDomains

Alert Object

Test Events