Requests to a large number of subdomains
You want to monitor how many subdomains are requested per domain to identify signs of data exfiltration or Domain Generation Algorithm domains.
Required data
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
You must install the URL toolbox app for this search to work.
tag=dns message_type="Query" | eval list="mozilla" | `ut_parse_extended(query, list)` | stats dc(ut_subdomain) AS HostsPerDomain BY ut_domain | sort -HostsPerDomain
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
tag=dns |
Search for fields with the "web" tag. |
message_type="Query" |
Search for queries. |
| eval list="mozilla" |
Search the Mozilla catalog for top level domains. This eval function is required for the next line in the search (ut_parse_extended) to work. |
| `ut_parse_extended(query, list)` |
Parse the queries based on the Mozilla top level domain list. The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote ('). |
| stats dc(ut_subdomain) as HostsPerDomain by ut_domain |
Return the results in a table—grouped by the ut_domain field—that includes a count of the number of distinct subdomains for each domain seen. |
| sort -HostsPerDomain |
Sort the results with the domain with the highest number of subdomains appearing first. |
Next steps
The search results include all domains. Since you probably aren't concerned about queries to subdomains of microsoft.com or other known good sites, you can use lookups to remove noise.
Finally, you might be interested in other processes associated with the Monitoring a network for DNS exfiltration use case.