I am getting some reports from the security center, these alerts are regarding .null requests to what seem to be legitimate places. The alerts state that they are coming from our Domain Controller and the requests are being made to multiple different IP addresses that check out from VirusTotal and Shodan.
Sid 1-48666 from Snort is blocking the .null requests which flag as a indicator of compromise. Alerts are only being generated during work hours.
I would like to know what steps you all would take to investigate/resolve this issue.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-name-queries-not-succes...
"socialize.null"
4.2.2.2
e.root-servers.net 192.203.230.10
G.ROOT-SERVERS.NET 192.112.36.4