Forum Discussion
Tips on how to process firewall URL/DNS alerts
Hello,
I would recommend applying additional logic in here as just seeing blocked connections won't give you any practical steps you can action.
What you can do is to;
- Apply Threat Intelligence to it, you can install free connector in Sentinel and create analytic rule that will flag successful connections where TI matches source IP address from Syslog.
- Move your current alert as a Workbook, this way you can monitor top domains being flagged an action it from there - double-checking whether they are blacklisted in the firewall or if using Defender for Endpoint add them as custom network indicator (block)
- Filter whitelisted domains from the query, you should have some Microsoft ones in there and most likely plenty of others (like Apple or CDN domains)
This way you can filter out the noise and keep only relevant events.
Hello
These are good points and to some extent I apply them already. For example I run several playbooks on firewall blocks to enrich the entities from services like Shodan and VT and close the incidents if no other indications are found. The problem with Defender XDR is there is some process somewhere that reopens the closed incidents and creates threse massive 800+ entities incidents.
I feel things are further complicated by the difference in terms between Sentinel and Defender XDR. For example an incident from Sentinel, containing one or more blocked URLS, is handled as an alert by XDR. It might be presented as-is or included later into an amalgam incident.
