Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi Team,
Our AWS infra team found unusual DNS in Guardduty as below,
they are asking if this IP is legitimate and is using 162.159.36.2 as dns server, this is not in our IP range and country region.
Can you please check & guide if it is related to Qlik and where we can check and update this DNS server details.
or if it not related to QlikSense then kindly confirm.
We are using Qlik Sense on Windows product May 2023 Patch 09
on EC2 Instance.
Below are unmask Gaurdduty they have raised in local incident.
**************** More info **************************
},
"SchemaVersion": "2.0",
"Service": {
"Action": {
"ActionType": "NETWORK_CONNECTION",
"NetworkConnectionAction": {
"Blocked": false,
"ConnectionDirection": "OUTBOUND",
"LocalPortDetails": {
"Port": 56741,
"PortName": "Unknown"
},
"Protocol": "UDP",
"LocalIpDetails": {
"IpAddressV4": "<Masked>"
},
"RemoteIpDetails": {
"City": {
"CityName": ""
},
"Country": {
"CountryName": "United States"
},
"GeoLocation": {
"Lat": 0,
"Lon": 0
},
"IpAddressV4": "162.159.36.2",
"Organization": {
"Asn": "13335",
"AsnOrg": "CLOUDFLARENET",
"Isp": "Cloudflare",
"Org": "Cloudflare"
}
},
"RemotePortDetails": {
"Port": 53,
"PortName": "DNS"
}
}
},
"Archived": false,
"Count": 1,
"DetectorId": "a2bf4e00b70ed37e6cedcf429d2b5871",
"EventFirstSeen": "2024-06-18T01:38:31.000Z",
"EventLastSeen": "2024-06-18T01:39:23.000Z",
"ResourceRole": "ACTOR",
"ServiceName": "guardduty",
"AdditionalInfo": {
"Value": "{\"inBytes\":\"165\",\"outBytes\":\"77\",\"unusual\":\"CLOUDFLARENET\"}",
"Type": "default"
}
},
"Severity": 5,
"Title": "The EC2 instance i-07fc8c4d494230e6c is communicating with an unusual DNS resolver 162.159.36.2.",
"Type": "DefenseEvasion:EC2/UnusualDNSResolver",
"UpdatedAt": "2024-06-18T01:40:46.110Z"
}
]
You can check if these requests are related with Qlik's backend license server. There are more instructions here.