When DNSWatch denies a user connection to a suspicious domain, it generates an alert with information about the incident.
You can go to the Alert Details page from the Alerts page in DNSWatch, or you can click a link in a DNSWatch alert notification email. For more information about DNSWatch notification emails, go to About DNSWatch Email Notification.
To view the details for a DNSWatch alert:
- Log in to your DNSWatch account.
- Click Report > Alerts.
The Alerts page opens. - In the Actions column for an alert, click View.
The alert details page opens.
Summary Information and Actions
The Alert Details page includes the same summary information that appears on the Alerts list:
- Domain — The domain in the DNS request
- Victim — The public IP address of the protected network from which the DNS request was received
- Classification — The type of threat, as classified by the DNSWatch analysis team at WatchGuard
- Protocol — The protocol used in the connection to the Blackhole Server
Other summary information and actions that appear on the Details tab:
- Connection information — The total number of connections and whether there is currently an open connection
- Actions — Actions to resolve, unresolve, silence the alert, or report the alert as a false positive
- First Seen — The first date and time that DNSWatch received a DNS request to this domain from this protected network
- Last Seen — The most recent date and time that DNSWatch received a DNS request to this domain from this protected network
Resolve or Unresolve an Alert
You can change the status of an alert to Resolved. You might do this after you have finished any discussion or investigation and consider it resolved. When the status of an alert is Resolved, DNSWatch does not send email alerts when there is a change to the comments. If a new connection is seen for the domain from the same protected network, DNSWatch automatically reopens a resolved alert.
- To change the alert status to Resolved, click Resolve Alert.
- To change the alert to status to unresolved, click Unresolve Alert.
Disable or Enable Notification Emails for an Alert
By default, DNSWatch sends notification emails when an unresolved alert is updated. You can silence alerts on the details page if you want to disable email notifications for an alert but you do not want to change the alert status to Resolved.
- To disable email notifications for an alert, click Silence Alerts.
- To enable email notifications for an alert, click Enable Alerts.
Details
The Details tab shows information about the victim, the destination, and malware type.
Victim Information
The Victim is the host that made the DNS request that was denied by DNSWatch. The DNSWatch Blackhole Server tries to collect information to help you identify the source of the DNS request on your protected network. The information DNSWatch collects includes:
- Victim location — The public IP address of the protected network from which the DNS request was received
- Victim IP addresses — The local IP address of the victim as reported by the malware, if known
- Victim hostname — The host name of the victim
- Victim username — The user name of the victim
Details of victim IP addresses might not always be available in DNSWatch. This is because the ability to communicate with the browser and pull information depends on the type of browser the victim uses. DNSWatch can pull information from Chrome, Firefox, and Edge browsers, although each alert does not contain all the details collected. Internet Explorer and Safari do not allow DNSWatch to pull this information. Some security measures, such as TLS, might also prevent collection of data that is not encrypted.
If more than one Firebox external interface uses the same public IP address, DNSWatch cannot determine which of the protected networks was the source of a DNS request from that public IP address. In this case, the Victim location in the alert might not accurately reflect which protected network was the source of the DNS request.
For more information about the DNSWatch Blackhole Server, go to About DNSWatch Blackhole Servers.
Destination Information
The destination information includes the domain in the DNS request and the port used to connect to the Blackhole Server.
Malware Information
The malware information section includes the Protocol and the Malware locations. If DNSWatch was able to determine the location of malware on a victim computer, the Malware location contains the path of the malware on the victim computer.
Comment
To request help from the WatchGuard DNSWatch Support Team, you can add a comment or question to an alert.
The WatchGuard DNSWatch Support Team can attach comments to respond to your question or provide more information about the alert. Your comment and any response appear on the Discussion tab. You can add a comment in the Details tab or the Discussion tab.
To comment on an alert from the Details tab:
- Type the comment or question for the WatchGuard DNSWatch Support Team.
- To apply styles to the text, you can use Markdown. To view example text, click Styling with Markdown is supported. Tip!
- Click the Preview tab to preview your comment.
- Click Comment to add your comment to this alert.
The Comment appears on the Discussion tab.
When you add a comment to an unresolved alert that does not have alerts silenced, DNSWatch sends an alert notification email that includes the comment and a link back to the alert details.
Discussion
On the Discussion tab you can view all comments for an alert. This includes any comments from the WatchGuard DNSWatch Support Team or from any users in your account.
To comment on an alert from the Discussion tab:
- Type the comment or question for the WatchGuard DNSWatch Support Team.
- To apply styles to the text, you can use Markdown. To view example text, click Styling with Markdown is supported. Tip!
- Click the Preview tab to preview your comment.
- Click Comment to add your comment to this alert.
The Comment appears on the Discussion tab.
Domain Analysis
The Domain Analysis tab shows the domain associated with the alert. It also shows why the domain was blocked by DNSWatch.
Domain Analysis Actions
For each item in the Domain Analysis tab, you can take these actions:
Remove from Blocklist
For a domain or subdomain found on your DNSWatch Blocklist, this action removes it from the Blocklist. For more information, go to Manage DNSWatch Blocklist Domains.
Add to Allowlist
For a domain or subdomain found on a Domain Feed, this action adds it to the Allowlist. For more information, go to Manage DNSWatch Allowlist Domains.
Connection Analysis
When a victim connects to the DNSWatch Blackhole Server, DNSWatch collects details about the connection for analysis. The collected information is used by the WatchGuard DNSWatch Support Team to analyze and categorize the alert.
The collected information includes:
- Netflow data
- Initial Connection Bytes
- Parsed Protocol Details
The Connection Analysis tab includes the connection information for the first connection associated with this alert. To view information about other connections, select the Connections tab.
History
The History tab is a list of actions taken by DNSWatch users for an alert, and shows which DNSWatch user in your account took each action. You can view each time a user resolved or unresolved an alert or when a user silenced or enabled email notification for an alert.
Connections
The Connections tab shows a list of connections related to an alert. For each connection, it shows the source IP address and port, and the start and end time for the connection. To view the details for a connection, click View. The connection information is the same as the information on the Connection Analysis tab.
The collected information includes:
- Netflow data
- Initial Connection Bytes
- Parsed Protocol Details