Skip to main content
Splunk Lantern

Suspicious domains visited by a user

You might need to sift through a large number of websites that a user visited if you suspect that one of them caused a problem on your network when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

A user has reported ransomware on her machine. You think that it might have been downloaded from a malicious website.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Stream DNS data. You can replace this source with any other deep packet inspection data used in your organization.

  1. Run the following search:
sourcetype=stream:DNS src=<IP address of infected machine> record_type=A
|table _time query{} src dest
|reverse
  1. In the field sections on the left, find and click query.
  2. Examine the websites the user visited. 
  3. Decide what domains or other results you can eliminate from your search to make your investigation more efficient. For example, Google and Microsoft websites are probably safe. A Whois search can help you decide what domains to whitelist.
  4. Update the record_type parameter of your search as necessary. For example, to eliminate all microsoft.com and live.com sites, use:
    record_type=A NOT(query{}=*.microsoft.com OR query{}=*.live.com

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:DNS

Search only DNS data from Splunk Stream logs.

src=<IP address of infected machine>

Search logs coming from the infected machine.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the src field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(src="192.0.2.0" OR src_ip="192.0.2.0")

Example:
(src="192.0.2.0" OR src="example.com")

record_type=A

Search only DNS A records, which return IPv4 addresses.

|table _time query{} src dest

Display the results in a table with the fields in the order shown.

|reverse

Display the results from oldest to newest.

Result

The table shows the websites the user visited that might have been the source of the ransomware. Next, you might want to ask the user about the purpose of the suspicious websites and what kind of content they include. If the websites are safe, investigate other possible origins of the problem:

  • Was this article helpful?