https://live.paloaltonetworks.com/t5/advanced-threat-prevention/sinkhole-dns-wildfire/m-p/232176#M419 <P>How does the dns-wildfire threat category work? I've seen a log entry, but there isn't any traffic to the sinkhole IP. The action is sinkhole and reported as generic:malicious.domain1. I have confirmed that sinkhole does work for regular threat category dns and is reported as Suspicious DNS Query (generic:malicious.domain2).</P> Mon, 24 Sep 2018 22:11:26 GMT mike406 2018-09-24T22:11:26Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/sinkhole-dns-wildfire/m-p/232176#M419 <P>How does the dns-wildfire threat category work? I've seen a log entry, but there isn't any traffic to the sinkhole IP. The action is sinkhole and reported as generic:malicious.domain1. I have confirmed that sinkhole does work for regular threat category dns and is reported as Suspicious DNS Query (generic:malicious.domain2).</P> Mon, 24 Sep 2018 22:11:26 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/sinkhole-dns-wildfire/m-p/232176#M419 mike406 2018-09-24T22:11:26Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/sinkhole-dns-wildfire/m-p/233812#M423 <P>Sinkholing a DNS query does not guarantee a followup IP connection, especially if the Spyware has embedded intelligence to distinguish a true public IP vs a dummy sinkhole IP.</P> Wed, 03 Oct 2018 22:56:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/sinkhole-dns-wildfire/m-p/233812#M423 mivaldi 2018-10-03T22:56:23Z