Fortianalyzer DNS connections to C&C hosts

Tutek · ‎08-17-2023

Hi,

I have in fortianalyzer multiple critical events with event status "Unhandled" these are mainly connections to C&C hosts most of them are ending with com.tr.

So I have created DNS security profile, with option enabled "Redirect botnet C&C requests to Block Portal" and here I have information that database include 80000 domains in botnet package. More over I have created here DNS static filters to block *.com.tr and other like:

I have applied this dns security profile from lan computers to my active directory server (DNS), and then from active directory server to outside DNS forwarder (DNS google).

So my question is why these connections are not blocked "Mitigated" in Fortianalyzer?

kgeorge · ‎08-17-2023

Hello @Tutek,

Botnet and IoC events are generally considered as Unhandled in the Event Logs. Please refer the documentation below to understand the event statuses,

https://docs.fortinet.com/document/fortianalyzer/7.4.0/administration-guide/337904/understanding-eve...

For any further clarifications on this and traffic handled by FortiAnalyzer, you may open a support ticket with our FAZ Team and they will be glad to address them accordingly to you.

Regards,
Klint George

Fortianalyzer DNS connections to C&C hosts

Nominate a Forum Post for Knowledge Article Creation