Contents

View DNSWatch Alert Details

When DNSWatch denies a user connection to a suspicious domain, it generates an alert with information about the incident.

You can go to the Alert Details page from the Alerts page in DNSWatch, or you can click a link in a DNSWatch alert notification email. For more information about DNSWatch notification emails, see About DNSWatch Email Notification.

To see the details for a DNSWatch alert:

  1. Log in to your DNSWatch account.
  2. Click Report > Alerts.
    The Alerts page appears.
  3. In the Action column for an alert, click View.
    The alert details page appears.

Screen shot of the alert details page

Summary Information and Actions

The top of the page includes the same summary information that appears on the Alerts list:

  • Domain — The domain in the DNS request
  • Victim — The public IP address of the protected network from which the DNS request was received
  • Classification — The type of threat, as classified by the DNSWatch analysis team at WatchGuard
  • Protocol — The protocol used in the connection to the Blackhole Server

Other summary information and actions appear on the right side. This information includes:

  • Connection information — The total number of connections and whether there is currently an open connection
  • Actions — Actions to resolve, unresolve, or silence the alert
  • First Seen — The first date and time that DNSWatch received a DNS request to this domain from this protected network
  • Last Seen — The most recent date and time that DNSWatch received a DNS request to this domain from this protected network

Resolve or Unresolve an Alert

You can change the status of an alert to Resolved. You might do this after you have finished any discussion or investigation and consider it resolved. When the status of an alert is Resolved, DNSWatch does not send email alerts when there is a change to the comments. If a new connection is seen for the domain from the same protected network, DNSWatch will automatically reopen a resolved alert.

  • To change the alert status to Resolved, click Resolve Alert.
  • To change the alert to status to unresolved, click Unresolve Alert.

Disable or Enable Notification Emails for an Alert

By default, DNSWatch sends notification emails when an unresolved alert is updated. If you want to disable email notifications for an alert but you do not want to change the alert status to Resolved, you can silence alerts in the alert details page.

  • To disable email notifications for an alert, click Silence Alerts.
  • To enable email notifications for an alert, click Enable Alerts.

Details

The Details tab shows information about the victim, the destination, and malware type.

Victim Information

The Victim is the host that made the DNS request that was denied by DNSWatch. The DNSWatch Blackhole Server tries to collect information to help you identify the source of the DNS request on your protected network. The information DNSWatch collects includes:

  • Victim location — The public IP address of the protected network from which the DNS request was received
  • Victim IP addresses — The local IP address of the victim as reported by the malware, if known
  • Victim hostname — The host name of the victim
  • Victim username — The user name of the victim

It is not always possible for DNSWatch to obtain all of this information about the victim.

If more than one Firebox external interface uses the same public IP address, DNSWatch cannot determine which of the protected networks was the source of a DNS request from that public IP address. In this case, the Victim location in the alert might not accurately reflect which protected network was the source of the DNS request.

Destination Information

The destination information includes the domain in the DNS request and the port used to connect to the Blackhole Server.

Malware Information

The malware information section includes the Malware family and the Malware locations. If DNSWatch was able to determine the location of malware on a victim computer, the Malware location contains the path of the malware on the victim computer.

Comment

To request help from the WatchGuard DNSWatch Support Team, you can add a comment or question to an alert.

Screen shot of the Comment section of the Details for an alert

The WatchGuard DNSWatch Support Team can attach comments to respond to your question or provide more information about the alert. Your comment and any response appear on the Discussion tab. You can add a comment in the Details tab or the Discussion tab.

To comment on an alert from the Details tab:

  1. Type the comment or question for the WatchGuard DNSWatch Support Team.
  2. To apply styles to the text, you can use Markdown. To see example text, click Styling with Markdown is supported. Tip!You can copy the example markdown text and paste it into the Content tab, where you can then edit it.
  3. Click the Preview tab to preview your comment.
  4. Click Comment to add your comment to this alert.
    The Comment appears on the Discussion tab.

When you add a comment to an unresolved alert that does not have alerts silenced, DNSWatch sends an alert notification email that includes the comment and a link back to the alert details.

Discussion

On the Discussion tab you can see all comments for an alert. This includes any comments from the WatchGuard DNSWatch Support Team or from any users in your account.

To comment on an alert from the Discussion tab:

  1. Type the comment or question for the WatchGuard DNSWatch Support Team.
  2. To apply styles to the text, you can use Markdown. To see example text, click Styling with Markdown is supported. Tip!You can copy the example markdown text and paste it into the Content tab, where you can then edit it.
  3. Click the Preview tab to preview your comment.
  4. Click Comment to add your comment to this alert.
    The Comment appears on the Discussion tab.

Domain Analysis

The Domain Analysis tab shows the domain associated with the alert. It also shows why the domain was blocked by DNSWatch.

This tab shows whether the domain appears on a Domain Feed or the Blacklist. If you do not want DNSWatch to block the domain, you can select actions here to add a domain to the Whitelist or remove it from the Blacklist.

Domain Analysis Actions

From the Domain Analysis tab, you can select an action to add the domain to the Whitelist or remove the domain from the Blacklist. The available action depends on whether the domain was included on a Domain Feed or the Blacklist. To see the available action, click Actions.

For each item in the Domain Analysis tab, you can take these actions:

Remove from Blacklist

For a domain or subdomain found on your DNSWatch Blacklist, this action removes it from the Blacklist. For more information, see Manage DNSWatch Blacklisted Domains.

Add to Whitelist

For a domain or subdomain found on a Domain Feed, this action adds it to the Whitelist. For more information, see Manage DNSWatch Whitelist Domains

Malware Analysis

When a victim connects to the DNSWatch Blackhole Server, DNSWatch collects details about the connection for analysis. The collected information is used by the WatchGuard DNSWatch Support Team to analyze and categorize the alert.

The collected information includes:

  • Netflow data
  • Initial Connection Bytes
  • Parsed Protocol Details

The Malware Analysis tab includes the connection information for the first connection associated with this alert. To see information about other connections, select the Connections tab.

History

The History tab is a list of actions taken by DNSWatch users for an alert, and shows which DNSWatch user in your account took each action. Below Events, you can see each time a user resolved or unresolved an alert or when a user silenced or enabled email notification for an alert.

Connections

The Connections tab shows a list of connections related to an alert. For each connection, it shows the source IP address and port, and the start and end time for the connection. To see the details for a connection, click View. The connection information is the same as the information on the Malware Analysis tab.

The collected information includes:

  • Netflow data
  • Initial Connection Bytes
  • Parsed Protocol Details

See Also

Manage DNSWatch Alerts

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search