Alert on C2 or Consistent Callout Activity
M
Matt Worrilow
It would be helpful to create an alert only on C2 types of activity (think hundreds of callouts to an IP or set of malicious IPs), rather than alerting on every malicious IP/domain.
As an MSP we don't want to get thousands of alerts per day of clients hitting malicious or blocked IPs, but it would be good to get alerted when there are many suspicious DNS requests or call outs to C2 (command and control) type systems or malicious IPs from a single machine.
Our SIEM tools can do this where installed, but this seems like a feature of a DNS security tool like DNS Filter should/may offer.
Thank you,
Minetta Gould
Great idea, Matt Worrilow—this is a thoughtful take on alert fatigue and exactly the kind of signal MSPs care about. We’re currently reviewing different types of alerts to consider next year, and we’ve grouped this request with those for evaluation.
To the greater DNSFilter community, if C2-style, behavior-based alerts would be valuable in your environment, add a vote and share any extra context—that input helps us prioritize which alerting improvements to tackle first.