I just got the idea of tracking suspicious DNS Zone transfers and I want to make an alarm in Splunk for it. It looks like I only have about 14 IPs to vet and whitelist, shouldn't be too hard.
But I'm wondering if this is worth my time. My SOC maps everything to the MITRE framework and I don't see anything about tracking DNS zone transfers in there. Is this worth doing? Is it in the MITRE framework somewhere and I am just missing it?