Uncommon top level domains

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

You recently started work as a Security Analyst for a company whose users often access websites that don't use the Latin alphabet. You need to be able to accurately extract all URLs from your data.

Data required

Firewall data

This sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization.

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=pan:threat 
| stats count BY url 
| urlparser field=url listname="mozilla" mode=extended

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
sourcetype=pan:threat	Search only threat events from Palo Alto Networks data.
\| stats count BY url	Show the event count for each value in the url field.
\| urlparser field=url listname="mozilla" mode=extended	Use the URLParser app to extract domains from the Mozilla catalog. These are the default settings for the URLParser. Searching \| urlparser will yield the same results as specifying the parameters shown here.

Next steps

The results show the URLs visited by your users, but it doesn't separate the legitimate ones from the suspicious ones. Use your own lookup tables to help sort through the results, or use the analytic functions of the URL Toolbox app, like Shannon Entropy, to find URLs that you need to investigate.

Finally, you might be interested in other processes associated with the Monitoring employee network traffic use case.