I’m currently testing Zscaler to see if it is able to protect against Domain Fronting technique. What I do see in the log is that the first (legit) domain hit and the underlying (bad) domain as two separate line. But, I do not seems to be able to link those two events together. Currently, I’m working on a homemade apps that act as domain fronting, so I know the legit and the bad URL. In a real situation, I’m a bit on dark.
Is there any link I can put between those two events? Can I set any alerts when I call an URL, but the answer is on another domain?