This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to pick up the trail when it stops at the domain controller?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to pick up the trail when it stops at the domain controller?

JacobYonkman
L0 Member

‎04-04-2024 10:28 AM

Hello Community! 


Situation: We are seeing XDR incidents where NGFW detects something trying to reach out to malicious websites. This is automatically mitigated by dropping the connection on both ends, as it should. However, it seems this results in no causality chain. The source shows the domain controller involved, but that's not the actual origin of the request.

 

Any ideas on how to query for more information that will lead us to what attempted to reach said malicious site?

I'm fairly new to building XDR queries but have tried exploring datasets and trying to correlate the alert times stamps to other events/host network connections on the domain controller. 


Example alert desc: "'generic:sussybadsite.bad along with 3 other alerts generated by PAN NGFW detected on host zdomainctrl1"

We get a couple duplicate incidents per day and I'm burning with curiosity as what keeps attempting to reach out. Any and all thoughts/suggestions are most welcome!


 

 

0 Likes Likes
2 REPLIES 2

Antony_Chan
L2 Linker

‎04-05-2024 01:38 AM

Hello @JacobYonkman,

 

Before we dive into XQL query/investigation. It's better to understand how's the infrastructure being setup.

Questions:

  1. Is your Domain Controller work as a DNS server
  2. Did the NGFW enable DNS sinkhole?
  3. Do all of your endpoints install with Cortex XDR agent?

Apart from Question 3, the investigation needs to be carry out from NGFW.

Here's an article of DNSSinkhole that might help you identify the source that attempted to access a malicious website.

How DNS Sinkholing Works (paloaltonetworks.com)

AC
(1)

JacobYonkman
L0 Member

‎04-05-2024 08:47 AM

Hello Antony!
The article is definitely helpful.
1. No
2. Yes
3. Yes. MOST endpoints have the XDR agent. (There is also a chance people are plugging personal devices into endpoints for charging, which naturally will not have any agents installed)

 

0 Likes Likes
  • 798 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks