This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection Logs

Good morning, Experts!

I came in to work today to find the following in my Advanced Threat Protection logs.  The source IP addresses are my internal Active Directory servers (which forward DNS requests out to Google).   

I have scanned one of the Active Directory servers listed in the logs with the Sophos Virus Removal Tool, and it reports no infection.  

I am guessing that this was a request from a machine on my network.  Am I correct, and, if so, how can I find which machine was making the DNS requests?

Any information would be GREATLY appreciated!  This is not how I planned on spending my day!  :-)

 

2020:01:14-21:08:28 gateway afcd[12241]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="xxxxxxxxxxxx" dstip="8.8.8.8" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="xxxxxxxxxxxx" url="-" action="drop"
2020:01:14-21:08:33 gateway afcd[12241]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="xxxxxxxxxxxx" dstip="8.8.4.4" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="xxxxxxxxxxxx" url="-" action="drop"



This thread was automatically locked due to age.
  • This usually means that something attempted a lookup to one of the top-level domains that UTM considers unsafe, and the lookup was blocked.   If it comes from DNS server overhead, you will see one from each server.   If the request comes from a client, you will see an alarm from each DNS server configured on the client.

    The only way to know for sure is to enable DNS logging on your Active Directory server.