This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about ATP log

We received a couple ATP alerts with Threat Name C2/Generic-A and Origin of AFCd. I think these are coming from our internal DNS server but wanting to confirm. Looking at the ATP log, the srcip = our internal DNS server, the dstip = "205.251.194.229" and the host="167.172.157.200".

I had turned on the Windows DNS Debug Log. There are no entries for ip '167.172.157.200' but there is one for '205.251.194.229':

"10/20/2021 9:07:16 AM 0894 PACKET 0000002AE329C140 UDP Snd 205.251.194.229 fd5e Q [0000 NOERROR] A (7)cust-dv(8)zentrick(3)com(0)"

I'm trying to determine if we have a windows client that is potentially creating the alerting DNS request. Any suggestions on trying to find the client?

Thanks!

This thread was automatically locked due to age.

Parents

BAlfson over 3 years ago

Hi neighbor and welcome to the UTM Community!

In another thread here with posts at about the same time as yours, 167.172.157.200 was falsely provoking ATP alerts. There's likely a bad pattern that will be fixed soon by Sophos. If this is a paid license, please open a case with Sophos Support.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

BAlfson over 3 years ago

Hi neighbor and welcome to the UTM Community!

In another thread here with posts at about the same time as yours, 167.172.157.200 was falsely provoking ATP alerts. There's likely a bad pattern that will be fixed soon by Sophos. If this is a paid license, please open a case with Sophos Support.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data