Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This Recommended read presents a way to create SRV Records to prevent Windows Auth issues:
To address the challenge of creating the correct resources, you can use Sophos XDR / LiveDetection.
XDR Live Discover
With XDR Live Discover, we can query a report of all DNS queries a client sends within one click.
https://central.sophos.com/manage/threat-analysis-center/live-query
Enable the Designer Mode
Create a new Windows Endpoint Query
Use the following Code in SQL:
-- DNS Lookups by Process
-- $$1. Start Time$$ DATE
-- $$2. End Time$$ DATE
-- $$3. Process Name$$ STRING (Use % as wildcard, for example mcs% )
-- $$4. Domain Name$$ STRING (Use % as wildcard, for example %msdcs%)
SELECT DISTINCT
sdj.name,
spj.process_name
FROM
sophos_dns_journal AS sdj
JOIN
sophos_process_journal AS spj
ON
sdj.sophos_pid = spj.sophos_pid
WHERE
sdj.time > '$$1. Start Time$$' AND
sdj.time < '$$2. End Time$$' AND
lower(spj.process_name) LIKE (lower('$$3. Process Name$$')) AND
lower(sdj.name) LIKE (lower('$$4. Domain Name$$'))
ORDER BY spj.process_name
In step 4. we’ll use " %msdcs% "
You’ll see something like this:
You can now adapt the SRV Records from that using the KBA
Keep in mind you also have to create the DC itself as a Ressource:
Added Query Type.
[bearbeitet von: LuCar Toni um 8:18 AM (GMT -7) am 27 Mar 2024]