Question about ATP log

We received a couple ATP alerts with Threat Name C2/Generic-A and Origin of AFCd.  I think these are coming from our internal DNS server but wanting to confirm.  Looking at the ATP log, the srcip = our internal DNS server, the dstip = "205.251.194.229"  and the host="167.172.157.200".

I had turned on the Windows DNS Debug Log.  There are no entries for ip '167.172.157.200'  but there is one for '205.251.194.229':

"10/20/2021 9:07:16 AM 0894 PACKET  0000002AE329C140 UDP Snd 205.251.194.229 fd5e   Q [0000       NOERROR] A      (7)cust-dv(8)zentrick(3)com(0)"

I'm trying to determine if we have a windows client that is potentially creating the alerting DNS request.  Any suggestions on trying to find the client? 

Thanks!

Parents
  • Hi neighbor and welcome to the UTM Community!

    In another thread here with posts at about the same time as yours, 167.172.157.200 was falsely provoking ATP alerts.  There's likely a bad pattern that will be fixed soon by Sophos.  If this is a paid license, please open a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi neighbor and welcome to the UTM Community!

    In another thread here with posts at about the same time as yours, 167.172.157.200 was falsely provoking ATP alerts.  There's likely a bad pattern that will be fixed soon by Sophos.  If this is a paid license, please open a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data