We received a couple ATP alerts with Threat Name C2/Generic-A and Origin of AFCd. I think these are coming from our internal DNS server but wanting to confirm. Looking at the ATP log, the srcip = our internal DNS server, the dstip = "220.127.116.11" and the host="18.104.22.168".
I had turned on the Windows DNS Debug Log. There are no entries for ip '22.214.171.124' but there is one for '126.96.36.199':
"10/20/2021 9:07:16 AM 0894 PACKET 0000002AE329C140 UDP Snd 188.8.131.52 fd5e Q [0000 NOERROR] A (7)cust-dv(8)zentrick(3)com(0)"
I'm trying to determine if we have a windows client that is potentially creating the alerting DNS request. Any suggestions on trying to find the client?
Hi neighbor and welcome to the UTM Community!
In another thread here with posts at about the same time as yours, 184.108.40.206 was falsely provoking ATP alerts. There's likely a bad pattern that will be fixed soon by Sophos. If this is a paid license, please open a case with Sophos Support.
Cheers - Bob