We have subscribed to the Palo alto DNS-Security feature and we have it applied now.
after few days, I have a dynamic object now with many host has been sinkholed for contacting a malicious domains.
Many Domains contacted, what is the recommendations regarding this many malicious domains contacted by our users? what is the recommendations to identify the real malicious domain that needs to be blocked and identify hosts PC that need to be diagnosed, and domains to execlud from being sinkholing the users in our side? Recommendations and best practices will be appreciated.
If you have PAN-DB as URL categorization, you should deny any/all traffic attempting to talk to dynamic DNS, newly registered domains, parked domains, insufficient-content, high risk, unknown, malicious, hacking, proxy-anonymizer, etc.
if you have configured your DNS-Sec correctly (look under the Spyware profile, under DNS Security) and confirm that obvious malicious DNS locations are set to deny/block. If this is the case, then I would believe that your network may have IoC (indicators of compromise) and you should start to troubleshoot why this traffic is seen, and if this is an infected user. The Threat log should tell you the name of the domai/URL is that is triggering the sinkhole.
In your reply, please include screen capture of your DNS Security settings, and your Threat Logs.
What do you mean with "real malicious domains"?
If there are connections this does not have to mean, that there is something malicious. Of course it could be, but there might be the case that there are malvertisement domains which are contacted when users open normal websites. In such cases it is good that the connections are sinkholed to prevent further attacks and in such situations there is no need to do thing like isolate these hosts and diagnose them. The bad thing is, that it is almost impossible to decide simply by one domain if this is only a harmless webrequest or a IoC because of already present malware on a computer. So ... in general I recommend to only whitelist domains if they lead to problems with other really needed connections. For investiagions about the sinkholed connections I would check the domains visible in the threat log with services like virustotal.com or urlscan.io. If there are obvious signs of expoit websites (like the websites are related to other malware/attacks) this might be a sign to check the client in more detail. Depending on things like are there more blocked connections from that host or over and over the same blocked connections - specially at times when only the computer is running without a user logged in - the client should be isolated and checked in order to avoid further damage in your network. In such cases when traffic sinkholed you should also check your endpoint protection for alerts.
There is always the balance between securing the network and not waisting time on harmless alerts that are generated. For this I don't have a good recommendation as it is different in almost every situation and missing that one critical alert could lead to a complete network compromize.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!