Sophos ZTNA: Non-seamless access to Windows resources - XDR Query to identify DNS Records

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. 


This Recommended read presents a way to create SRV Records to prevent Windows Auth issues: 

To address the challenge of creating the correct resources, you can use Sophos XDR / LiveDetection.

XDR Live Discover

With XDR Live Discover, we can query a report of all DNS queries a client sends within one click.

Enable the Designer Mode

Create a new Windows Endpoint Query

Use the following Code in SQL:

-- DNS Lookups by Process
-- $$1. Start Time$$       DATE
-- $$2. End Time$$         DATE
-- $$3. Process Name$$     STRING (Use % as wildcard, for example mcs% )
-- $$4. Domain Name$$      STRING (Use % as wildcard, for example %msdcs%)
   sophos_dns_journal AS sdj
   sophos_process_journal AS spj
   sdj.sophos_pid = spj.sophos_pid 
   sdj.time > '$$1. Start Time$$' AND
   sdj.time < '$$2. End Time$$' AND
   lower(spj.process_name) LIKE (lower('$$3. Process Name$$')) AND
   lower( LIKE (lower('$$4. Domain Name$$'))
ORDER BY spj.process_name

In step 4. we’ll use " %msdcs% " 

You’ll see something like this: 

You can now adapt the SRV Records from that using the KBA 


Keep in mind you also have to create the DC itself as a Ressource: 

Added Query Type.
[bearbeitet von: LuCar Toni um 8:18 AM (GMT -7) am 27 Mar 2024]