05-23-2021 12:23 PM
What do you mean with "real malicious domains"?
If there are connections this does not have to mean, that there is something malicious. Of course it could be, but there might be the case that there are malvertisement domains which are contacted when users open normal websites. In such cases it is good that the connections are sinkholed to prevent further attacks and in such situations there is no need to do thing like isolate these hosts and diagnose them. The bad thing is, that it is almost impossible to decide simply by one domain if this is only a harmless webrequest or a IoC because of already present malware on a computer. So ... in general I recommend to only whitelist domains if they lead to problems with other really needed connections. For investiagions about the sinkholed connections I would check the domains visible in the threat log with services like virustotal.com or urlscan.io. If there are obvious signs of expoit websites (like the websites are related to other malware/attacks) this might be a sign to check the client in more detail. Depending on things like are there more blocked connections from that host or over and over the same blocked connections - specially at times when only the computer is running without a user logged in - the client should be isolated and checked in order to avoid further damage in your network. In such cases when traffic sinkholed you should also check your endpoint protection for alerts.
There is always the balance between securing the network and not waisting time on harmless alerts that are generated. For this I don't have a good recommendation as it is different in almost every situation and missing that one critical alert could lead to a complete network compromize.
