https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50804#M37378 <HTML><HEAD></HEAD><BODY><P>Thanks for your replies.</P></BODY></HTML> Mon, 18 Aug 2014 14:40:41 GMT craigmueller 2014-08-18T14:40:41Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50801#M37375 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Is there a list of all the DNS Querys that PA considers suspicious?</P><P></P><P>I was considering changing the default action from alert to block for these signatures.</P><P></P><P>Since there is potentially 1 million URLs that will automatically get blocked when adjusted, my client might want to go over the list before making the decision.</P><P></P><P><IMG alt="PA DNS Sig.JPG" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14986_PA DNS Sig.JPG" style="height: 391px; width: 620px;" /></P><P></P><P>Thanks!</P></BODY></HTML> Fri, 15 Aug 2014 21:06:04 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50801#M37375 craigmueller 2014-08-15T21:06:04Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50802#M37376 <HTML><HEAD></HEAD><BODY><P>That list is a "living database" and changes over time.&nbsp; I think a better method to use with your customer would be to understand "what would have been blocked".&nbsp; You can run a simple custom report to answer that question.&nbsp; Use the "Threat Log" as your data source and use the following options (feel free to change your timeframe - just keep in mind the longer the timeframe the longer the report may take to run.&nbsp; Start small ~1 day and then work your way up).&nbsp; </P><P></P><P><IMG alt="Screen Shot 2014-08-15 at 3.18.47 PM.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14987_Screen Shot 2014-08-15 at 3.18.47 PM.png" style="height: 344px; width: 620px;" /></P><P>In my small lab environment, the output looks like this:</P><P></P><P><IMG alt="Screen Shot 2014-08-15 at 3.22.22 PM.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14988_Screen Shot 2014-08-15 at 3.22.22 PM.png" style="height: 176px; width: 620px;" /></P></BODY></HTML> Fri, 15 Aug 2014 21:24:21 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50802#M37376 jvalentine 2014-08-15T21:24:21Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50803#M37377 <HTML><HEAD></HEAD><BODY><P>I agree with Jared.&nbsp; Even if you could see the whole database, and the chances are low that PA would allow that.&nbsp; I'm sure they consider those contents a trade secret they want to keep from the competition, the report is more relevant. </P><P></P><P>The report tells you what your users are likely to see on your network.</P><P></P><P>Remember also that generally when a default action is to alert instead of block, there is a much higher possibility of a false positive.&nbsp; So you may generate some work allowing blocked sites after the action is changed.</P></BODY></HTML> Sat, 16 Aug 2014 00:17:13 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50803#M37377 pulukas 2014-08-16T00:17:13Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50804#M37378 <HTML><HEAD></HEAD><BODY><P>Thanks for your replies.</P></BODY></HTML> Mon, 18 Aug 2014 14:40:41 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-dns-query-list/m-p/50804#M37378 craigmueller 2014-08-18T14:40:41Z