https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407111#M92197 <P>Hello Bros,</P><P>&nbsp; &nbsp; We have subscribed to palo alto dns-security and the license has been applied to the device.</P><P>Rules with anti-spyware "dns-security sinkhole action enabled".</P><P>Now regarding the hosts with sinkhole action, that means these hosts trying to connect to a malicious domains.</P><P>These trials blocked but is these another recommended actions to be taken towards these hosts? Is there a recommended method to stop them from trying to connect to these malicious domains?</P><P>TIA</P> Sun, 16 May 2021 15:13:52 GMT MRamadanAHafiez 2021-05-16T15:13:52Z https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407111#M92197 <P>Hello Bros,</P><P>&nbsp; &nbsp; We have subscribed to palo alto dns-security and the license has been applied to the device.</P><P>Rules with anti-spyware "dns-security sinkhole action enabled".</P><P>Now regarding the hosts with sinkhole action, that means these hosts trying to connect to a malicious domains.</P><P>These trials blocked but is these another recommended actions to be taken towards these hosts? Is there a recommended method to stop them from trying to connect to these malicious domains?</P><P>TIA</P> Sun, 16 May 2021 15:13:52 GMT https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407111#M92197 MRamadanAHafiez 2021-05-16T15:13:52Z https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407121#M92199 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159497">@MRamadanAHafiez</a>&nbsp;</P> <P>The recommendation would be to check these hosts if there is some sort of malware/spyware running which tries to connect to these domains. With the sinkhole feature it shows you these hosts which otherwise wouldn't be identified.</P> <P>The little problem is to differentiate if it really was some sort of malware or only connections done by the users browsers which probably are the reason for most of the sinkholed connections. It's not that (my assumption) that users directly connect to these domains, these requests are because of advertisements on the actual websites or because of malicious scripts somehow get executed on the websites that the users open.&nbsp;</P> <P>So there is no way to fully stop clients connecting to domains whitch are redirected to the sinkhole, but it still is a very helpful feature to identify clients which should be checked.</P> Sun, 16 May 2021 15:52:14 GMT https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407121#M92199 Remo 2021-05-16T15:52:14Z https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407424#M92231 <P>Thank you so much Bro.</P> Mon, 17 May 2021 23:40:28 GMT https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/407424#M92231 MRamadanAHafiez 2021-05-17T23:40:28Z https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/423009#M94129 <P>If you are using XDR you can setup an IOC to alert when a client connects to the sinkhole IP.&nbsp; Then put an exclusion on the the alert if it is coming from a browser and then investigate any endpoint that has a process other than a browser connecting to the sinkhole.</P> Thu, 29 Jul 2021 12:58:59 GMT https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/423009#M94129 JasonPeterson 2021-07-29T12:58:59Z https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/423388#M94156 <P>Thank you for participation but unfortunately we don't have XDR.</P> Fri, 30 Jul 2021 12:23:38 GMT https://live.paloaltonetworks.com/t5/general-topics/regarding-sinkholed-hosts/m-p/423388#M94156 MRamadanAHafiez 2021-07-30T12:23:38Z