Advanced Threat Protection

Question

Hello, 
 In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12) 
 A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company. 
 Details about the alert: 
 Threat name....: C2/Generic-A 
 Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx 
 Time...........: 2016-03-20 06:41:17 
 Traffic blocked: yes 
 Source IP address or host: 218.60.112.225 
 
 Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?

William Warren · Answer

part of it is configuration of your dns. in order for ATP to work correctly you need to have all dns requests go to the firewall FIRST. if you are not using the firewall for dhcp then set primary dns in dhcp as the firewall. 
 
 If you are using AD then you also need to setup dns routing under dns in the webadmin so the firewall will route internal dns requests to your AD server/s. Then you will get proper alerts for internal machines...:)

Indicator	218.60.112.225
Reverse DNS	cncln.online.ln.cn
Country	CN
ASN	4837
Organization	China Unicom Liaoning
Insights	DShield has observed IP 218.60.112.225 scanning 227 targets resulting in 1426 reports from 2015-10-20 to 2016-03-22

Advanced Threat Protection

Passive DNS (1)