My problem Splunk UBA Malware DGA Alert (Suspicious Domain Name)
in fact this Suspicious Domains are advertising sites
too much dga in an alarm ex: dga count is > 100
AND ı cant control it every sites , indeed one of them can be dga
How can I fix false positives?
Also that make requests by iphone but alarm can include my dns servers
Sorry for my bad english 🙂
Have a good day :
There are 2 anomalies. It's possible, activities (e.g. browsing) from the phone, visited a number of DGA's and hence Suspicious domain names. What's interesting is the Unusual Geolocation comms. Is it possible, one of the visit to the DGA installed a malware which opens a C2C/backdoor to 197.241.* ip address? You may want to scan your device and check for any unusual apps/programme/external comms.