Skip to main content
Splunk Lantern の記事が日本語で利用できるようになりました。.
Splunk Lantern

Requests to a large number of subdomains


You want to monitor how many subdomains are requested per domain to identify signs of data exfiltration or Domain Generation Algorithm domains.

Required data


Run the following search. You can optimize it by specifying an index and adjusting the time range.

You must install the URL toolbox app for this search to work.

tag=dns message_type="Query" 
| eval list="mozilla"
| `ut_parse_extended(query, list)`
| stats dc(ut_subdomain) AS HostsPerDomain BY ut_domain
| sort -HostsPerDomain

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search for fields with the "web" tag.


Search for queries.

| eval list="mozilla"

Search the Mozilla catalog for top level domains.

This eval function is required for the next line in the search (ut_parse_extended) to work.

| `ut_parse_extended(query, list)`

Parse the queries based on the Mozilla top level domain list.

The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

| stats dc(ut_subdomain) as HostsPerDomain by ut_domain

Return the results in a table—grouped by the ut_domain field—that includes a count of the number of distinct subdomains for each domain seen.

| sort -HostsPerDomain

Sort the results with the domain with the highest number of subdomains appearing first.

Next steps

The search results include all domains. Since you probably aren't concerned about queries to subdomains of or other known good sites, you can use lookups to remove noise. 

Finally, you might be interested in other processes associated with the Monitoring a network for DNS exfiltration use case.