View DNSWatch Alert Details

When DNSWatch denies a user connection to a suspicious domain, it generates an alert with information about the incident.

You can go to the Alert Details page from the Alerts page in DNSWatch, or you can click a link in a DNSWatch alert notification email. For more information about DNSWatch notification emails, go to About DNSWatch Email Notification.

To view the details for a DNSWatch alert:

  1. Log in to your DNSWatch account.
  2. Click Report > Alerts.
    The Alerts page opens.
  3. In the Actions column for an alert, click View.
    The alert details page opens.

Screen shot of the alert details page

Summary Information and Actions

The Alert Details page includes the same summary information that appears on the Alerts list:

  • Domain — The domain in the DNS request
  • Victim — The public IP address of the protected network from which the DNS request was received
  • Classification — The type of threat, as classified by the DNSWatch analysis team at WatchGuard
  • Protocol — The protocol used in the connection to the Blackhole Server

Other summary information and actions that appear on the Details tab:

  • Connection information — The total number of connections and whether there is currently an open connection
  • Actions — Actions to resolve, unresolve, silence the alert, or report the alert as a false positive
  • First Seen — The first date and time that DNSWatch received a DNS request to this domain from this protected network
  • Last Seen — The most recent date and time that DNSWatch received a DNS request to this domain from this protected network

Resolve or Unresolve an Alert

You can change the status of an alert to Resolved. You might do this after you have finished any discussion or investigation and consider it resolved. When the status of an alert is Resolved, DNSWatch does not send email alerts when there is a change to the comments. If a new connection is seen for the domain from the same protected network, DNSWatch automatically reopens a resolved alert.

  • To change the alert status to Resolved, click Resolve Alert.
  • To change the alert to status to unresolved, click Unresolve Alert.

Disable or Enable Notification Emails for an Alert

By default, DNSWatch sends notification emails when an unresolved alert is updated. You can silence alerts on the details page if you want to disable email notifications for an alert but you do not want to change the alert status to Resolved.

  • To disable email notifications for an alert, click Silence Alerts.
  • To enable email notifications for an alert, click Enable Alerts.

Details

The Details tab shows information about the victim, the destination, and malware type.

Victim Information

The Victim is the host that made the DNS request that was denied by DNSWatch. The DNSWatch Blackhole Server tries to collect information to help you identify the source of the DNS request on your protected network. The information DNSWatch collects includes:

  • Victim location — The public IP address of the protected network from which the DNS request was received
  • Victim IP addresses — The local IP address of the victim as reported by the malware, if known
  • Victim hostname — The host name of the victim
  • Victim username — The user name of the victim

Details of victim IP addresses might not always be available in DNSWatch. This is because the ability to communicate with the browser and pull information depends on the type of browser the victim uses. DNSWatch can pull information from Chrome, Firefox, and Edge browsers, although each alert does not contain all the details collected. Internet Explorer and Safari do not allow DNSWatch to pull this information. Some security measures, such as TLS, might also prevent collection of data that is not encrypted.

If more than one Firebox external interface uses the same public IP address, DNSWatch cannot determine which of the protected networks was the source of a DNS request from that public IP address. In this case, the Victim location in the alert might not accurately reflect which protected network was the source of the DNS request.

For more information about the DNSWatch Blackhole Server, go to About DNSWatch Blackhole Servers.

Destination Information

The destination information includes the domain in the DNS request and the port used to connect to the Blackhole Server.

Malware Information

The malware information section includes the Protocol and the Malware locations. If DNSWatch was able to determine the location of malware on a victim computer, the Malware location contains the path of the malware on the victim computer.

Comment

To request help from the WatchGuard DNSWatch Support Team, you can add a comment or question to an alert.

Screen shot of the Comment section of the Details for an alert

The WatchGuard DNSWatch Support Team can attach comments to respond to your question or provide more information about the alert. Your comment and any response appear on the Discussion tab. You can add a comment in the Details tab or the Discussion tab.

To comment on an alert from the Details tab:

  1. Type the comment or question for the WatchGuard DNSWatch Support Team.
  2. To apply styles to the text, you can use Markdown. To view example text, click Styling with Markdown is supported. Tip!
  3. Click the Preview tab to preview your comment.
  4. Click Comment to add your comment to this alert.
    The Comment appears on the Discussion tab.

When you add a comment to an unresolved alert that does not have alerts silenced, DNSWatch sends an alert notification email that includes the comment and a link back to the alert details.

Discussion

On the Discussion tab you can view all comments for an alert. This includes any comments from the WatchGuard DNSWatch Support Team or from any users in your account.

To comment on an alert from the Discussion tab:

  1. Type the comment or question for the WatchGuard DNSWatch Support Team.
  2. To apply styles to the text, you can use Markdown. To view example text, click Styling with Markdown is supported. Tip!
  3. Click the Preview tab to preview your comment.
  4. Click Comment to add your comment to this alert.
    The Comment appears on the Discussion tab.

Domain Analysis

The Domain Analysis tab shows the domain associated with the alert. It also shows why the domain was blocked by DNSWatch.

Screenshot of the Domain Analysis tab

Domain Analysis Actions

For each item in the Domain Analysis tab, you can take these actions:

Remove from Blocklist

For a domain or subdomain found on your DNSWatch Blocklist, this action removes it from the Blocklist. For more information, go to Manage DNSWatch Blocklist Domains.

Add to Allowlist

For a domain or subdomain found on a Domain Feed, this action adds it to the Allowlist. For more information, go to Manage DNSWatch Allowlist Domains.

Connection Analysis

When a victim connects to the DNSWatch Blackhole Server, DNSWatch collects details about the connection for analysis. The collected information is used by the WatchGuard DNSWatch Support Team to analyze and categorize the alert.

The collected information includes:

  • Netflow data
  • Initial Connection Bytes
  • Parsed Protocol Details

The Connection Analysis tab includes the connection information for the first connection associated with this alert. To view information about other connections, select the Connections tab.

History

The History tab is a list of actions taken by DNSWatch users for an alert, and shows which DNSWatch user in your account took each action. You can view each time a user resolved or unresolved an alert or when a user silenced or enabled email notification for an alert.

Connections

The Connections tab shows a list of connections related to an alert. For each connection, it shows the source IP address and port, and the start and end time for the connection. To view the details for a connection, click View. The connection information is the same as the information on the Connection Analysis tab.

The collected information includes:

  • Netflow data
  • Initial Connection Bytes
  • Parsed Protocol Details

Related Topics

Manage DNSWatch Alerts

About DNSWatch Blackhole Servers