Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 188 views
  • Users 0 members are here
Options
Suggested

Threat Feed - DNS Response blocked - how to find the original host requested

LHerzog

Case:

Client with Sophos Endpoint does DNS Request to XGS as resolver

DNS Response IP is seen in a 3rd Party Threat Feed

Firewall generated ATP Alert and sends red Heartbeat to Sophos Central

The Client is isolated by Sophos Central.

Now, how can I find out which hostname the client requested in DNS request? The IP is from a huge Google IP List.

The firewall is not logging DNS requests unfortunately.

Datalake Query was not bringing expected results.



Added TAGs
[edited by: Raphael Alganes at 2:15 PM (GMT -8) on 7 Jan 2025]
Parents
  • 0

    XDR queries could help. Generally speaking, it is hard to find this, as we "cannot" store DNS queries on a firewall due the amount of queries, the clients will generate. 

    You could try to find a matching DNS packet at the "exact same time" but even this will not help you. 

    This issue came up in the past years with UTM ATP as well. 

    Can you see via mouse over more information about this DNS drop? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I spent some time with the XDR Queries, could find a lot of browser related connections but no DNS requests.

    2025-01-07 11:11:12 Active threat response messageid="18009" log_type="ATP" log_component="DNS" log_subtype="Alert" user="username" protocol="UDP" src_port="52472" dst_port="53" src_ip="xxx.xxx.xxx.xxx" dst_ip="Firewall-LAN-IP" url="143.204.98.125" threat="Blocklistname" threatfeed="Blocklistname" event_id="" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

  • 0 in reply to LHerzog

    What DNS server do you use on SFOS? Not by any chance Secure DNS by Central?  

    __________________________________________________________________________________________________________________

Reply Children
Unfiltered HTML