You might want to monitor how many subdomains are requested per domain when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Network resolution data
- URL toolbox
Example
You want to monitor how many subdomains are requested per domain to identify signs of data exfiltration or Domain Generation Algorithm domains.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
tag=dns message_type="Query"
| eval list="mozilla"
| `ut_parse_extended(query, list)`
| stats dc(ut_subdomain) AS HostsPerDomain BY ut_domain
| sort -HostsPerDomain
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
tag=dns |
Search for fields with the "web" tag. |
|
message_type="Query" |
Search for queries. |
|
| eval list="mozilla" |
Search the Mozilla catalog for top level domains. Note: This eval function is required for the next line in the search (ut_parse_extended) to work. |
|
| `ut_parse_extended(query, list)` |
Parse the queries based on the Mozilla top level domain list. Note: The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote ('). |
|
| stats dc(ut_subdomain) as HostsPerDomain by ut_domain |
Return the results in a table—grouped by the ut_domain field—that includes a count of the number of distinct subdomains for each domain seen. |
|
| sort -HostsPerDomain |
Sort the results with the domain with the highest number of subdomains appearing first. |
Result
The search results include all domains. Since you probably aren't concerned about queries to subdomains of microsoft.com or other known good sites, you can use lookups to remove noise.
Comments
0 comments
Please sign in to leave a comment.