100s of DNS Requests/sec to MS Services from non-existent user

Red_ManRed_Man
edited July 9 in Firebox - Dimension, Logging and Reporting


My traffic monitor is showing 100s of DNS requests/sec from our PDC to what appears to be Microsoft services from a user which no longer exists (as I deleted it out of frustration). The user was deleted months ago but still the entries persist (see attached).

What would be causing these? Telemetry? Intune? How can they originate from a user that no longer exits?

Thanks in advance

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Red_Man
    You'll want to check your Authentication List tab in traffic monitor to see if that user is still logged in. That should tell you where the authentication came from (like Single Sign on, Authentication Portal, VPN, etc.)

    -If it's from Single Sign On (SSO) it'll depend on what method you're using to determine what user is logged in. If you're using event log monitor there might simply not be another log to show that user ever logged out, or they may have never logged out to generate an event SSO would use.

    -you can select and click to force log off the user from there.

    -James Carson
    WatchGuard Customer Support

  • Red_ManRed_Man

    Hi James,

    Thank you for your fast response. I checked the Authentication List and that user was indeed logged in there. I've been using the web interface so didn't realise how much more information was available in WSM.

    After logging out that user, I'm still getting lots of entries per second in the log, only now they are from a different user. I've noticed this user is the "Searching User" in SSO configuration Tools and also shows as the being authenticated as ELM user. Given this information is it normal to have so many entries per second in for traffic monitor still? It appears to be Microsoft related services.

    Thanks

  • james.carsonjames.carson Moderator, WatchGuard Representative

    ELM does do some authentication in order to get those logs. I'd suggest making sure you're on the latest version of the SSO Authentication Gateway (latest version is 12.10.2.)

    You can find the SSO Authentication Gateway under the downloads section for each firewall at https://software.watchguard.com/

    If you continue to have that issue, I'd suggest opening a support case so that one of our reps can take a look at the issue with you and determine what is causing that.

    -James Carson
    WatchGuard Customer Support

  • Red_ManRed_Man

    Thanks again, James

Sign In to comment.