You might want to be able to extract uncommon top level domains from your data when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Data |
Network traffic data |
Required |
|
App |
Required |
|
|
Add-on |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
You recently started work as a Security Analyst for a company whose users often access websites that don't use the Latin alphabet. You need to be able to accurately extract all URLs from your data.
- Run the following search:
sourcetype=pan:threat
| stats count BY url
| urlparser field=url listname="mozilla" mode=extended
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype=pan:threat |
Search threat events from Palo Alto Networks data. |
|
| stats count BY url |
Show the event count for each value in the url field. |
|
| urlparser field=url listname="mozilla" mode=extended |
Use the URLParser app to extract domains from the Mozilla catalog. Note: These are the default settings for the URLParser. Searching | urlparser will yield the same results as specifying the parameters shown here. |
Result
The results show the URLs visited by your users, but it doesn't separate the legitimate ones from the suspicious ones. Use your own lookup tables to help sort through the results, or use the analytic functions of the URL Toolbox app, like Shannon Entropy, to find URLs that you need to investigate.
Comments
0 comments
Please sign in to leave a comment.