I've configured a DNS sinkhole in our PAN firewall, and it's helped our department identify machines that are trying to reach out to malicious domains and such. Is it possible to identify the original, intended, destination that the user was attempting to reach when they became innfected?
If you reslove the URLs in those DNS queries you will get IPs of C&C servers.
The original source of the infection will not be so easy to find.
For start check threat logs with IPs of the infected machines as source or destination. You might also want to check URL logs if it visited some of the suspicious categories (malware, unknown..) if these aren't blocked. If you pinpoint the moment of infection from system logs on the infected device maybe check traffic logs as well. That's as much as you can check on FW. But if the source infection was encrypted connection or USB stick you won't find much info on firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!