Threat Intelligence Block?
I see a blocked event due to "Threat Intelligence Feed" on the analytics tab. How can I find the specific DNS lookup that triggered that block without going one-by-one on the "log" tab?
5 replies
- 
  Have you tried exporting the logs to look through them? I don’t know if the export includes the block reason but maybe it does. 
- 
  "Block domains known to spread malware, cause phishing attacks and host command-and-control servers using a mix of the most reputable feeds of attack information - all updated in real time." I suspect this is completely automatic but you could turn on the filter blocked dns in the log tab and export that list, then use notepad++ to read this log and look for these feeds 
- 
  @SN3465 I found some old threat where sun.eduzz.com was blocked by the "Threat Intelligence Feeds" 
 
 searched for it in my log with query "blocked,"threat-intelligence-feeds" and this is the result:2024-10-17T10:55:08.086Z,sun.eduzz.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"threat-intelligence-feeds",,sun.eduzz.com,XXXXX,"IHS1253",,,,apple-profile 
 2024-10-17T10:55:08.082Z,sun.eduzz.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"threat-intelligence-feeds",,sun.eduzz.com,XXXXX,"IHS1253",,,,apple-profile
 
 Hopefully through your log you can find it back this way, wish more help feel free to ask.
Content aside
- 1 yr agoLast active
- 5Replies
- 101Views
- 
    3
    Following
    
