0

Threat Intelligence Block?

I see a blocked event due to "Threat Intelligence Feed" on the analytics tab.  How can I find the specific DNS lookup that triggered that block without going one-by-one on the "log" tab?

4 replies

null
    • Calvin_Hobbes
    • yesterday
    • Reported - view

    Have you tried exporting the logs to look through them?  I don’t know if the export includes the block reason but maybe it does.

      • Jeronimo
      • 17 hrs ago
      • Reported - view

       I just did a download and you get a full list in ***.csv format
      use a filter to search in the complete file "blocked"

      it looks like this:

      2024-10-17T08:35:20.416Z,analytics.adjust.net.in,HTTPS,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:oisd",,adjust.net.in,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.387Z,fundingchoicesmessages.google.com,HTTPS,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blacklist,blocklist:no-g",,google.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.387Z,fundingchoicesmessages.google.com,AAAA,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blacklist,blocklist:no-g",,google.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.387Z,fundingchoicesmessages.google.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blacklist,blocklist:no-g",,google.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:20.242Z,analytics.adjust.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:oisd",,adjust.com,EETA4,"(Ò_ó)","iPhone 15 mini",,,apple-profile
      2024-10-17T08:35:20.241Z,analytics.adjust.com,AAAA,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:oisd",,adjust.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:19.465Z,ep2.facebook.com,A,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:no-facebook",,facebook.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:19.464Z,ep2.facebook.com,AAAA,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:no-facebook",,facebook.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile
      2024-10-17T08:35:19.461Z,ep2.facebook.com,HTTPS,false,DNS-over-HTTPS,xxx.xxx.xxx.xxx,blocked,"blocklist:no-facebook",,facebook.com,EETA4,"(Ò_ó)","iPhone 15 Pro",,,apple-profile

      But I doubt if you will find the  "Threat Intelligence Feed" listed in the log I couldn't find it in my logs

    • Jeronimo
    • 18 hrs ago
    • Reported - view

    "Block domains known to spread malware, cause phishing attacks and host command-and-control servers using a mix of the most reputable feeds of attack information - all updated in real time."

    I suspect this is completely automatic but you could turn on the filter blocked dns in the log tab and export that list, then use notepad++ to read this log and look for these feeds

      • Jeronimo
      • 17 hrs ago
      • Reported - view

      "Ignore this reply."

Login to reply

Content aside

  • 17 hrs agoLast active
  • 4Replies
  • 33Views
  • 3 Following