Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
223
Views
0
Helpful
0
Replies

FMC AMP - .top , .win , .dns , .null - how to overall 'allow' or not

EDWICK QUILES
Level 1
Level 1

‎10-04-2022 07:05 AM

Good day all

we have a number of FMC-AMP alerts that trigger from these other 'new-standard' domain suffix types

so FMC rules by default flag these domains as IOC , but various TalosIntelligence review and Googling seem to show as 'neutral'

.top   .win  .dns  .null 

is there any better place to look for validation on whether to change the Rule or what ?

thnx

[1:44077:2] INDICATOR-COMPROMISE Suspicious .win dns query [Impact: Potentially Vulnerable] From "Wor FP-1 10.x.x.x" at Mon Oct  3 17:56:20 2022 UTC [Classification: Misc Activity] [Priority: 3] {udp} 192.168.243.238:57274 (unknown)->10.x.x.x:53 (unknown)

 

Ed

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card