0

Threat Intelligence Block?

I see a blocked event due to "Threat Intelligence Feed" on the analytics tab.  How can I find the specific DNS lookup that triggered that block without going one-by-one on the "log" tab?

5 replies

null
    • Calvin_Hobbes
    • 1 mth ago
    • Reported - view

    Have you tried exporting the logs to look through them?  I don’t know if the export includes the block reason but maybe it does.

      • Jeronimo
      • 1 mth ago
      • Reported - view

       I just did a download and you get a full list in ***.csv format
      use a filter to search in the complete file "blocked"

      it looks like this:

      2024-10-17T08:35:20.416Z,analytics.adjust.net.in,HTTPS,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:oisd",,adjust.net.in,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.387Z,fundingchoicesmessages.google.com,HTTPS,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blacklist,blocklist:no-g",,google.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.387Z,fundingchoicesmessages.google.com,AAAA,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blacklist,blocklist:no-g",,google.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.387Z,fundingchoicesmessages.google.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blacklist,blocklist:no-g",,google.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.242Z,analytics.adjust.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:oisd",,adjust.com,EETA4,"(Ò_ó)","iPhone 15 mini",,,apple-profile
      2024-10-17T08:35:20.241Z,analytics.adjust.com,AAAA,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:oisd",,adjust.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:19.465Z,ep2.facebook.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:no-facebook",,facebook.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:19.464Z,ep2.facebook.com,AAAA,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:no-facebook",,facebook.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:19.461Z,ep2.facebook.com,HTTPS,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:no-facebook",,facebook.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile

      But I doubt if you will find the  "Threat Intelligence Feed" listed in the log I couldn't find it in my logs

    • Jeronimo
    • 1 mth ago
    • Reported - view

    "Block domains known to spread malware, cause phishing attacks and host command-and-control servers using a mix of the most reputable feeds of attack information - all updated in real time."

    I suspect this is completely automatic but you could turn on the filter blocked dns in the log tab and export that list, then use notepad++ to read this log and look for these feeds

      • Jeronimo
      • 1 mth ago
      • Reported - view

      "Ignore this reply."

    • Jeronimo
    • 1 mth ago
    • Reported - view

    @SN3465 I found some old threat where sun.eduzz.com was blocked by the "Threat Intelligence Feeds"

    searched for it in my log with query "blocked,"threat-intelligence-feeds"  and this is the result:

    2024-10-17T10:55:08.086Z,sun.eduzz.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"threat-intelligence-feeds",,sun.eduzz.com,XXXXX,"IHS1253",,,,apple-profile
    2024-10-17T10:55:08.082Z,sun.eduzz.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"threat-intelligence-feeds",,sun.eduzz.com,XXXXX,"IHS1253",,,,apple-profile

    Hopefully through your log you can find it back this way, wish more help feel free to ask.

Login to reply

Content aside

  • 1 mth agoLast active
  • 5Replies
  • 63Views
  • 3 Following