Should I Make an Alarm to Track Suspicious DNS Zone Transfers? Is it part of the MITRE ATT&K framework?

I just got the idea of tracking suspicious DNS Zone transfers and I want to make an alarm in Splunk for it. It looks like I only have about 14 IPs to vet and whitelist, shouldn't be too hard.

But I'm wondering if this is worth my time. My SOC maps everything to the MITRE framework and I don't see anything about tracking DNS zone transfers in there. Is this worth doing? Is it in the MITRE framework somewhere and I am just missing it?

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s