https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71809#M40939 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/21249">@SOC_CSG</a>&nbsp; You can create filter the traffic log for the DNS queries directed towards the Sinkhole address. You may create a report using traffic logs as well :</P> <P><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/identify-infected-hosts.html" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/identify-infected-hosts.html</A></P> Fri, 29 Jan 2016 02:26:50 GMT syadav 2016-01-29T02:26:50Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71780#M40933 <P>Hello</P> <P>&nbsp;</P> <P>I have setup the Anti-Spyware Profile in our firewall and I have a lot of threat logs of type spyware suspicious DNS &nbsp;queries from a domain controller machine and this is cleansed.</P> <P><SPAN style="line-height: 20px;">Monitor &gt; Logs &gt; Threat list</SPAN></P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2239i122FA0F529456BD7/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="sinkhole.jpg" title="sinkhole.jpg" /></P> <P>As you can see I have configured the sinkhole method. But I woluld like to know how could I identify which PC are making this suspicious DNS queries?</P> <P>&nbsp;</P> <P>Thks</P> <P>&nbsp;</P> <P>Diego&nbsp;</P> <P>&nbsp;</P> Thu, 28 Jan 2016 16:18:48 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71780#M40933 SOC_CSG 2016-01-28T16:18:48Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71786#M40936 <P>You have to look for traffic towards the sinkhole IP in your traffic log, if it's configured as an IP outside the PC LAN.</P> Thu, 28 Jan 2016 17:21:00 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71786#M40936 gtomte 2016-01-28T17:21:00Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71809#M40939 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/21249">@SOC_CSG</a>&nbsp; You can create filter the traffic log for the DNS queries directed towards the Sinkhole address. You may create a report using traffic logs as well :</P> <P><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/identify-infected-hosts.html" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/identify-infected-hosts.html</A></P> Fri, 29 Jan 2016 02:26:50 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71809#M40939 syadav 2016-01-29T02:26:50Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71814#M40940 <P>HI ,</P> <P>I think that you should configure fake ip address on sinkhole ipv4 field. That fake ip addressin not used inside of the network.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2246i374CA9FE96EA2B1B/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="Capture.PNG" title="Capture.PNG" /></P> <P>&nbsp;</P> <P>Then you need to have security rule that block all access to fake ip address .</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Maybe it's helpful</P> Fri, 29 Jan 2016 03:19:52 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-identify-which-pc-made-a-suspicious-dns-query/m-p/71814#M40940 gombodorj 2016-01-29T03:19:52Z