I've been seeing malware CNC alerts in my IPS for traffic that's coming from a domain controller. I did a packet capture on the DC and found the actual origin of the DNS lookups is the LEM server. Through research, I've determined that LEM attempts to resolve DNS it sees in the logs. However, when I try to search in LEM for the identity of the machines that have the malware domain in their logs, I find nothing. I've verified that the DNS traffic logs from the DC are successfully being sent to LEM. I've done a packet capture on the DC that proves the DNS lookups (many each day) are coming from LEM. Maybe I'm not using the nDepth filters correctly. Does anyone have advice for how I can use LEM to identify the machines that are the real cause?
↧