🔥 3-day streak
Professional Security Operations Engineer143 / 241
Question 143 of 241

A threat hunter has a GTI-sourced list of 40 suspicious domains tied to a commodity loader campaign. They run a UDM search over 30 days of DNS and HTTP proxy logs and find several matches, but they want to distinguish domains that were resolved but never actually connected to (potentially blocked or sinkholed) from domains where a full session was established. Which UDM search approach BEST lets them separate resolved-only activity from established-connection activity across both log sources in a single hunt?

Reviewed for accuracy · Report an issueNext question