We need to add to SN the ability to identify IoT C2 activity via DNS that we have learned from our Honeypots.
High level requirements include
creation of EDLs from IoT Domain files generated by honeypot team. First instance of this could be manual but long term could include Minemeld work to keep the EDL updated
identity the EDL event from the FW vs. the Threat events from DNS db or WF as these events will need special processing
When the honeypot team gives us a list of bad IoT domains/IPs, we will need to append these to the current EDL.
First iteration can be a manual script-run, upload to EDL.
Ticket #28: IoT Safe Networking Processing -- Domains
We need to add to SN the ability to identify IoT C2 activity via DNS that we have learned from our Honeypots.
High level requirements include