Good day all
we have a number of FMC-AMP alerts that trigger from these other 'new-standard' domain suffix types
so FMC rules by default flag these domains as IOC , but various TalosIntelligence review and Googling seem to show as 'neutral'
.top .win .dns .null
is there any better place to look for validation on whether to change the Rule or what ?
thnx
[1:44077:2] INDICATOR-COMPROMISE Suspicious .win dns query [Impact: Potentially Vulnerable] From "Wor FP-1 10.x.x.x" at Mon Oct 3 17:56:20 2022 UTC [Classification: Misc Activity] [Priority: 3] {udp} 192.168.243.238:57274 (unknown)->10.x.x.x:53 (unknown)
Ed