Link to home
Start Free TrialLog in
Avatar of Steph_M
Steph_MFlag for United States of America

asked on

How to find a redirect in a repage - New Relic

Last week our firewall reports identified a new SaaS application in use: New Relic going to bam.nr-data.net/

I know what the application does, I just don't know how it got there.

We've tried pulling PCAPs, firewall reports, asking app dev if they installed it, asking the vendor if someone is paying for it, even searching for redirects to the site in Windows.

Experts, can you please provide some recommendations on how else to find the source of the redirect?

Some tools we have available: Wireshark, firewall, endpoint clients, SCCM, lite SIEM, unfortunately no web application firewall.

Regards,
Steph
ASKER CERTIFIED SOLUTION
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Steph_M
Steph_M
Flag of United States of America image

ASKER

I think we have that information from the firewall. If I am understanding you recommendation, we should take the user's sourceid and then look on their machine to see what processes it kicked off?
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
Yeap.
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
But if the ports are already release then you have no chance to track down what process has fired.
Therefore my proposal with to get and hold the requestor ports by a dummy application.
Avatar of Steph_M
Steph_M
Flag of United States of America image

ASKER

Well, I am going to give yo the win because your plan worked but my co-worker found a different way to accomplish it.

He downloaded TCPView and logged into some of our applications and sites until the IP showed up, that showed the process that was running. Turns out the 3rd party we use to manage our VOIP installed the app on their system.

Thanks for the help.

SM