topic Re: DNS Request in Monitoring Splunk

DNS Request

NoamP — Wed, 10 Jul 2024 08:31:31 GMT

Hey,
I would love to get help
I want to build a query to be a rule that will monitor DNS requests
I work with two INDEXES in one of them (INDEX1) I need the following fields
src , query , direction and I want that according to the results I got from this 1INDEX the second 2INDEX will take the query field and check what category it falls under
In the second (2INDEX) the query field is equivalent to the DOMAIN field and the category field does not exist in INDEX1

Re: DNS Request

inventsekar — Wed, 10 Jul 2024 10:13:35 GMT

Hi @NoamP .. i assume that the logs are already onboarded to Splunk indexer. (suggest us how do you onboarded the logs pls)

could you pls show us some sample logs pls, then the SPL query can be created easily.. thanks.

Re: DNS Request

NoamP — Wed, 10 Jul 2024 13:20:36 GMT

Hi,

I cant show my logs because of privacy issues.

but for example:

in INDEX 1

src=1.1.1.1 query=dns.com direcrion= snd

INDEX2

domain = dns.com category= education websit