Artifact Explanations
Status
The Status column shows you the HYAS Protect verdict assigned to the domain. Options are:
Blocked: Red circle with line through it.
Highly Suspicious: Red bell.
Watch Engine: Yellow bell.
Permitted: Green bell.
No Status: Clear bell.
Click here for further information on HYAS Protect Verdicts
Date
This is the date/time that the DNS query was seen in traffic.
A Record
An "A record" (Address record) is a type of DNS (Domain Name System) record that maps a domain or subdomain to an IPv4 address. It associates a specific hostname with the corresponding numerical IP address, allowing computers to locate and connect to each other on the internet.
AAAA
A quad A or AAAA record is similar to an A record but is specifically used to map a domain or subdomain to an IPv6 address. While A records are for IPv4 addresses, AAAA records handle the mapping of domain names to IPv6 addresses, supporting the next generation of internet protocol.
Answer Country
This refers to the Country of origin for the A Record.
Client IP
This is the IP address captured as the source of the DNS query.
If you’ve deployed via the resolver, you’ll only see the egress/external/public IP address(s) and not private IPs. To see the private IP’s you must deploy via the Agent, MDE, SentinelOne or HYAS Protect Relay.
CName
A CName (Canonical Name) record is a DNS entry that allows one domain to be an alias for another. For example, if "subdomain.example.com" has a Cname record pointing to "anotherdomain.com," accessing "subdomain.example.com" would redirect to "anotherdomain.com." While Cnames themselves are not inherently insecure, improper configuration or manipulation of Cname records can pose security risks, such as in DNS-based attacks or subdomain takeovers. Security practices involve monitoring and validating DNS records to ensure their integrity and legitimacy.
CName FQDN
See above for an explanation of a CNAME. The CName FQDN is the Fully Qualified Domain Name for the CName.
CName TLD
This is the Top Level Domain of the CName. In the examples above, the CName TLD is .com
Corporate Network
These are the Corporate Networks defined under Organization Settings>Source Networks. These are internal networks specified by Name and IP address.
Deployment Mode
Deployment Mode tells you whether you are in Protection Mode (Blocking) or Inspection Mode (Non-blocking).
Device Name
This shows you the name of the device that made the DNS query. This can be helpful in identifying machines that engaging in possible malicious activity or are infected as such.
Device Name can only be viewed if deployed via the HYAS Agent or MDE.
Domain
This is the domain that devices are attempting to communicate with.
Domain Age
Domain age refers to the length of time a specific domain has been registered and active on the internet. It is typically measured from the initial registration date to the present. The importance of domain age in deciding whether to visit a website lies in the notion that older domains often convey a sense of stability and credibility. When a domain has been in existence for an extended period, it suggests a history of legitimacy and reliability. In contrast, newer domains may be viewed with a bit more caution, as they have had less time to establish a reputation. This consideration becomes crucial in assessing the trustworthiness of a website and can be a factor in evaluating potential security risks before deciding to visit a domain.
Domain Category
Domain category, or website category, refers to the classification of a domain based on its content or purpose. It helps users understand the nature of the website's content, whether it's news, education, e-commerce, or other types. Assessing the domain category is crucial for users to determine relevance and potential security risks associated with specific content types.
Domain TLD
Domain TLD, or Top-Level Domain, is the last segment of a domain name, located after the final dot. It signifies the domain's general purpose or origin. Examples include ".com," ".org," and ".net." When deciding whether to visit a domain, considering its TLD is important. Different TLDs may suggest specific characteristics, such as ".gov" for government entities or ".edu" for educational institutions. Assessing the TLD helps users gauge the likely nature and trustworthiness of the website. It is also relevant in cybersecurity, as certain TLDs may be more prone to abuse or misuse. Therefore, understanding the Domain TLD is a key factor in making informed decisions about visiting a website.
Endpoint Type
This is the endpoint type from which the DNS query originated from. Possible endpoints are macos, windows, android and iOS.
FQDN
An FQDN (Fully Qualified Domain Name) is a detailed internet address that specifies the exact location of a hostname within the domain name system hierarchy, encompassing both the host name and the full domain name, as exemplified by "subdomain.example.com." When evaluating safety, it's essential to examine the full FQDN rather than just the domain alone. This is significant because a domain can host various hostnames, some of which might be malicious, and simply looking at the domain doesn't disclose the specific hostname being accessed. Subdomains might direct to different hosts than the main domain, distinguishing between, for instance, "evil.example.com" and the safe "example.com". Additionally, websites may employ cloaking or geolocation to provide distinct content to different users, and the full FQDN unveils whether the connection is to a site tailored for a particular region or user type. The resolution by DNS of the full FQDN informs your computer precisely which IP address to connect to, ensuring accuracy in destination
FQDN Nameserver
See above for an explanation an FQDN. The FQDN Nameserver is simply the Fully Qualified Domain Name of the Nameserver.
Group
When using the Azure Active Directory (AAD) integration, the Group displayed in the UI corresponds to that of the assigned AAD group.
Nameserver
A Nameserver is a server that stores DNS records and responds to queries, essentially holding the map of which domains correspond to which IP addresses. When a client requests the IP address for a domain like example.com, the nameserver responds, enabling the client to navigate to the website. Analyzing the nameserver is vital for assessing the safety of visiting a domain. The reputation and legitimacy of the nameserver directly impact the overall trustworthiness of the domain. Malicious actors might compromise nameservers for redirecting traffic or fraudulent activities, underscoring the need to detect potential tampering. Evaluating the historical context and configuration integrity of nameservers helps gauge the domain's security. Malicious nameservers are susceptible to exploitation in DNS-related attacks, stressing the importance of nameserver analysis in preventing phishing, fraud, and other risks. In essence, a comprehensive examination of the nameserver offers crucial insights into the security and legitimacy of a domain, facilitating informed decisions about its safety.
Nameserver Country
The Nameserver Country refers to the geographical location or country associated with a specific DNS nameserver. This information is often used to determine the physical location or origin of the server handling DNS requests for a particular domain. The nameserver country is typically identified based on the IP address of the DNS server.
It's important to note that while the nameserver country can provide an indication of the server's location, it doesn't necessarily reflect the physical location of the domain owner or the hosted content. DNS information is distributed globally, and the nameserver country is determined by the location of the DNS server itself.
NS IP
The NS IP is the IP addresses associated with a Nameserver.
NS TLD
This is the Top Level Domain associated with the Nameserver.
Policy
This relates to the Azure Active Directory (ADD) integration. When using the ADD integration, you are able to create policies specific to the ADD groups. If not using the ADD integration, this column will display a blank or “Default” value.
Process Name
In the context of HYAS Protect and DNS, Process Name refers to the process that initiated the outbound DNS query.
Process Names will only appear for select processes when deployed via the HYAS Protect Agent and only for those MDE events that include it. Generally MDE reports network and device events. Resolver-based deployments will not receive process name information.
Query Type
Query Type refers to the type of DNS query that is seen. Each type has a unique purpose as described below:
A (Address) Record:
Purpose: Resolves a domain name to an IPv4 address.
Example: Resolving "http://example.com " to its corresponding IPv4 address.
AAAA (IPv6 Address) Record:
Purpose: Similar to A record but for IPv6 addresses.
Example: Resolving a domain to its IPv6 address.
CNAME (Canonical Name) Record:
Purpose: Alias of one domain to another, often used for subdomains or load balancing.
Example: Resolving "www.example.com" to "http://example.com ."
MX (Mail Exchange) Record:
Purpose: Specifies mail servers responsible for receiving emails on behalf of the domain.
Example: Identifying mail servers for a domain.
NS (Name Server) Record:
Purpose: Indicates authoritative DNS servers for the domain.
Example: Identifying the authoritative name servers for a domain.
PTR (Pointer) Record:
Purpose: Used for reverse DNS lookups, mapping an IP address to a domain.
Example: Resolving an IP address to its corresponding domain.
SOA (Start of Authority) Record:
Purpose: Contains information about the domain and the zone it's in.
Example: Storing administrative details, like the primary DNS server and contact email.
TXT (Text) Record:
Purpose: Holds text information associated with a domain. Commonly used for DNS-based verification.
Example: Storing SPF (Sender Policy Framework) records for email authentication.
SRV (Service) Record:
Purpose: Specifies information on available services within a domain, like SIP or XMPP.
Example: Identifying servers for a specific service.
DNSKEY (DNS Key) Record:
Purpose: Holds public keys used in DNSSEC (Domain Name System Security Extensions) to verify the authenticity of DNS data.
Example: Supporting DNS security through cryptographic keys.
Reason
The Reason column displays why the verdict was made. Reason examples:
HYAS Engine: The HYAS Protect Decision Engine made the determination.
Applies to: Allowed, Blocked, Watch Engine, Highly Suspicious & No Verdict traffic
Block List: The domain was added to a block list.
Applies to: Blocked traffic.
Allow List: The domain was added to an allow list
Applies to: Allowed traffic.
Registrar
A domain registrar is a company that manages the reservation of domain names on the internet. They facilitate the process of purchasing and registering domain names for individuals or organizations. Additionally, domain registrars help maintain and update the domain's registration information in the domain name system (DNS) database.
Response Code
NXDomain: Stands for Non-Existent Domain. It indicates that the domain name in a DNS query does not exist and it was notable to be resolved to an IP address.
No Error: Indicates a successful DNS resolution without any errors or issues.
ServFail: This means that the Authoritative server has failed to provide a valid response for the requested domain.
NotImp: Abbreviation for Not Implemented. This error code indicates that the DNS server does not support the requested operation.
NotAuth: Stands for Not Authorized. This means that the DNS server is not authorized to provide the requested information.
Rule
The Rule column indicates when a rule has been applied to a domain through policy management
Source Type
This indicates the deployment type for the device that generated the query. Possible results include MDE, Roaming Agent, Relay, S1, and Corporate Network.
Tags
Tags are included for certain domains within HYAS Protect. The Tags are meant to add additional context into why the Decision Engine assigned the corresponding verdict. Please note that not all domains will have Tags associated. The availability of Tags will vary based on HYAS’s overall knowledge of the domain. The absence of Tags does not indicate a lack of domain intelligence; it simply means that additional contextual information or specific categorization may not be present for every domain within the HYAS Protect platform.
Inarpa: Short for In-addr.arpa. Domain used in the Domain Name System (DNS) to perform reverse DNS lookups. This domain is used to map an IP address to a domain name. The term "in-addr" is short for "internet address," and "arpa" is a top-level domain.
Proxy: A proxy is an intermediary server or application that acts as a gateway between a user's device (such as a computer or smartphone) and the internet. It serves as a mediator for requests and responses, forwarding them on behalf of the user.
Suspicious Domain: A website or network address causing concern due to potential malicious or deceptive activities, such as phishing, malware distribution, or other cyber threats.
Suspicious IP: An IP address that raises concerns due to potential involvement in malicious or deceptive activities, such as cyber attacks, malware distribution, or other security threats.
Suspicious FQDN: A domain name indicating potential risk or malicious intent, often associated with phishing, scams, or illicit online activities, prompting caution in its use or interaction.
Suspicious Registrar: A domain registration service or entity raising concerns for its association with fraudulent or malicious activities, facilitating the creation of domains for phishing, scams, or illicit purposes.
Suspicious TLD: A domain extension causing concerns due to its association with potentially malicious or deceptive activities, often linked to higher instances of spam, phishing, or cyber threats.
Tor: Short for The Onion Router, is a privacy-focused network that enables anonymous communication over the Internet. It directs Internet traffic through a volunteer overlay network consisting of servers, or nodes, to conceal the user's identity and location. The name "onion" refers to the multiple layers of encryption applied to the data, enhancing security and privacy. TOR is often used for accessing websites anonymously and evading censorship, but it can also be misused for illicit activities due to its anonymity features.
VPN: A Virtual Private Network, is a secure and encrypted connection that allows users to access the internet while ensuring privacy and anonymity by masking their IP addresses. If the VPN tag is displayed, this means that a device is using a VPN to make outbound DNS requests.
Threats
When queries are categorized as Threats, the sub-category of assignment will appear here.
TTL
TTL stands for Time to Live. It represents the amount of time a DNS record is considered valid by caching servers or devices. When a device queries a DNS server for a specific domain's IP address, the server includes a TTL value in its response. This value indicates how long the information can be cached by the querying device before it needs to request the information again. Once the TTL expires, the device needs to perform a new DNS query to get the updated information.
Username
The username assigned through MDE, SentinelOne, or the HYAS Protect Agent.