We often get an alert like this:
Malicious Site: Malicious Domain Request 32 attack blocked
However, the details from the alert do not tell you domain name that was blocked, just the IP address. If Symantec knows the dns query is malicious then it should know the domain name and should report it. Am I missing something here?
Here's an example:
2020-04-21 15:28:52,Major,xxx,Event Description: [SID: 31350] Malicious Site: Malicious Domain Request 22 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE,Local Host IP: 172.16.42.208,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 178.128.141.43,Remote Host MAC: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2020-04-21 15:28:38,End Time: 2020-04-21 15:28:38,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE,Location: Off Network,User Name: xxxx,Domain Name: ORAU,Local Port: 51445,Remote Port: 443,CIDS Signature ID: 31350,CIDS Signature string: Malicious Site: Malicious Domain Request 22,CIDS Signature SubID: 72810,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: CF8EA766CA9A3600603C3D5A6B4595B945D410A0C4C68B490A7842070F5BE11A,MD-5:
Any ideas would be appreciated.
Paul T
------------------------------
PaulT
------------------------------