Is there a way to not include the Firewall in Firstly Seen Sites?

Started by IsaacFL, April 02, 2021, 07:56:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 02, 2021, 07:56:22 PM
Under my threats detected, it is filled with Firstly Seen Sites, which is all of the DNS lookups to my Firewall?

Seems there must be a way to not see this, since it overwhelms actual threats in the log.

I have been running Sensei for about a 1.5 hours and Threats are over 1200 Firstly Seen Sites, which are all DNS lookups to local OpnSense, and maybe 10 other threats?




April 02, 2021, 08:01:38 PM #1 Last Edit: April 02, 2021, 08:04:42 PM by sy
Hi,

You can add a filter (Reports - Add Filter - Blocked Message - not equal - Firstly Seen Sites)

What is the domain name? We can recategorize it.
April 02, 2021, 08:53:34 PM #2
Ok, this worked. I filtered on the destination host names.

my domain is iznmort.com

Seems like it would be a good option to be able to add in the settings your own domain and treat it special.
April 05, 2021, 05:08:50 PM #3
Hi @IsaacFL,

There is an option under the Configuration - Cloud Threat Intel - Local Domain Name To Exclude From Cloud Queries.
April 16, 2021, 04:00:28 PM #4
Quote from: IsaacFL on April 02, 2021, 08:53:34 PM
Ok, this worked. I filtered on the destination host names.

my domain is iznmort.com

Seems like it would be a good option to be able to add in the settings your own domain and treat it special.

I have several subdomain it keeps identifying despite entering the parent domain. Is there a way to do multiple or wildcards?
April 19, 2021, 02:51:52 PM #5
Hi,

example.com covers *.example.com.
April 19, 2021, 05:39:18 PM #6
Quote from: sy on April 19, 2021, 02:51:52 PM
Hi,

example.com covers *.example.com.

I unable to get this to work. Even entering the FQDN it still shows up as a Firstly Seen Site.
April 22, 2021, 04:56:59 PM #7
I asked proposed this question to their support (who got back with me within minutes) and gave me this solution..

add whitelist (Policy - Web Controls - Auto Whitelist) Check that box at the bottom and this will submit it to their team to review for recategorization.

OR

Use https://www.sunnyvalley.io/site-classification/

I had done the first method but had not checked the box since my domain isn't really for public consumption but this is what needs to happen in order for it not to show up.

Also worth noting that specific hostnames can be specified as well since I have several different types of services running off our domain.
May 03, 2021, 07:07:54 PM #8
Unfortunately, this still hasn't really had the effect I was looking for. Traffic for my domain is still showing up as a threat but rather "Undecidedly Safe" rather than  Firstly Seen. It does show it's whitelisted when I'm looking at TLS Live Explorer but I still have my original problem where I will most likely not see a threat because I'm so overloaded with false positives from my own domain. I'm hoping this will be improved upon over time.
May 05, 2021, 01:07:46 AM #9
@BrandonG777, this is fixed & improved in 1.9. You'll also be able to specify up to 5 domains which will get excluded from cloud queries. 1.9 is scheduled for halfway around this month.
Print
Go Up Pages1
User actions