The Cortex XDR – Analytics Failed DNS alert indicates an endpoint is performing an unusually large number of failed DNS resolutions when compared to its peer group.
This alert has two modes of operation. Every 10 minutes it examines the last hour worth of log data, and every 6 hours it examines the last 24 hours worth of log data.
10 minutes / 6 hours.
1 hour / 24 hours.
1 hour / 24 hours.
Threat and Enhanced Application logs.
Command and control.
An endpoint is performing DNS lookups that are failing at an excessively high rate when compared to its peer group. This alert might be symptomatic of malware (a bot or a worm) that is trying to connect to its command and control servers.
In order to maintain and control a pool of compromised machines, attackers will frequently deploy a command and control server that is running outside of your network. This server runs on one or more domains that can eventually be identified and blacklisted. To avoid this, malware will sometimes use Domain Generation Algorithms (DGA) that produce many different domain names every day. Because only a few of these domains are ever registered, the installed malware must blindly try to access each generated domain name in an effort to locate an active one.
This alert is designed to detect malware that is a using a DGA variant which employs dictionaries to create domain names. For a given endpoint, it is possible that this alert will duplicate the Random Looking DNS alert.
Cortex XDR – Analytics has considered the usage of the domain by both your organization and by the identified endpoint, and Cortex XDR – Analytics has determined that the traffic is unusual enough to warrant this alert.
Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.
- Make sure your DNS servers are not misconfigured and are responsive. This detector assumes that most DNS lookups succeed, and will only raise an alert when it sees large numbers of failed lookups. Misconfigured or unresponsive DNS servers can result in a false positive.
- Make sure you do not have external domains configured as internal domains. This can result in clients attempting to (for example) resolve google.com.local first, before resolving google.com. This can result in a false-positive for this alert.
- Make sure the endpoint is configured properly for your DNS servers. For example, make sure it is configured to use the correct DNS IP address, and that the IP address is not for a firewalled DNS server. Misconfigured DNS clients can result in a large number of failed lookups, which will result in a false-positive for this alert.
- Make sure the endpoint is not a DNS, Proxy, NAT or VPN gateway server. If these have been misdetected by Cortex XDR – Analytics, then their ordinary operations can trigger this alert.
Random Looking DNS
Random Looking DNS The Cortex XDR – Analytics Random Looking DNS alert indicates an endpoint is performing DNS lookups to a large number of unique, apparently ...
Cortex XDR – Analytics Command and Control Alerts
Cortex XDR – Analytics Command and Control alerts. ...
Cortex XDR – Analytics Alert Reference
Cortex XDR – Analytics Alert reference includes symptoms of the alert, how the symptoms are detected, and what should be done about the alert. ...
Recurring Rare Domain Access
Recurring Rare Domain Access The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a ...
Manage Cortex XDR – Analytics Alerts
To manage Cortex XDR – Analytics alerts, you investigate them, determine the severity of the alert, and then take appropriate action to resolve the security issue. ...
Cortex XDR – Analytics Configuration Settings
Manage Pathfinder configuration, the IP ranges that Cortex XDR – Analytics monitors, Cortex XDR – Analytics reports, and view the Cortex XDR – Analytics application status. ...
Set up a Cortex XDR – Analytics Block List
A Palo Alto Networks firewall can enforce policy based on IP addresses and domains that Cortex XDR – Analytics has found to be associated with anomalous ...
SpamBot Traffic The Cortex XDR – Analytics SpamBot Traffic alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints. Synopsis Detection ...
Cortex XDR – Analytics Management
The management menu provides access to pages that let you manage whitelist rules, view the audit log, and give you visibility into Pathfinder scanning. ...