The issue:
An unknown private (NAT) client is infected with malware and it's trying to access a Bot server at random times/dates.

How we know about this:
We receive bot traffic notices/alerts from REN-ISAC. Unfortunately, we don't receive those until the next day after it has happened. What they provide to us is:

• The source address (of the firewall)
• The destination addresses (it varies, but they're going to network subnet allocated to a German ISP)
• The source port (which varies--dynamic ports).

Question:
What would be the best approach to finding this internal host (historically) with a Cisco ASA as firewall?

I'm guessing blocking anything to the destination address(es), and logging that type of traffic/access might allow me to find the source host, but I'm not sure which tool/command would be the most useful.

I've seen Netflow thrown into a few responses when it comes to logging, but I'm confused with it's association of Logging, NAL, and nBAR, and how they relate to Netflow.