https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630301#M218975 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;,</P><P>your query does not return complete results. The host_querying has value only for the first domain, after that all are empty.&nbsp;</P><P>_time&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; domain &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host_querying</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2001:503:d414::30</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.8.8</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:12:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>2023-02-09 14:45:27&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; meeo.it</P><P>2023-02-09 14:12:25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spacetrack.org&nbsp;</P><P>2023-02-09 12:50:06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.karlovy-vary.cz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;" target="_blank">www.karlovy-vary.cz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</A></P><P>2023-02-09 12:00:06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; atlhqmphssql1.eus&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>2023-02-09 11:42:59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; d2azal32wgllwk.cloudfront.net&nbsp;</P><P>And I checked the first domain without host_querying and it has many&nbsp; results.</P><LI-CODE lang="markup">index="msad" sourcetype="MSAD:NT6:DNS" direction=Snd prodaddkarl.com | eval host_querying=src_ip | table domain, host_querying</LI-CODE><P>domain &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host_querying</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.9</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.8.8</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.8.8</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.9</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.31.80.30</P><P>any other idea?</P><P>thanks a lot</P> Thu, 09 Feb 2023 14:44:47 GMT corti77 2023-02-09T14:44:47Z https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630270#M218965 <P>Hi,</P><P>I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and Windows AD logs.</P><P>From PaloAlto logs I get the list of malicious domains detected and blocked with the following query</P><LI-CODE lang="markup">index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 action=dropped OR action=blocked vendor_action=sinkhole | dedup file_name | table _time, file_name</LI-CODE><P>_time &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file_name</P><P>2023-02-09 11:42:59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; d2azal32wgllwk.cloudfront.net&nbsp;</P><P>2023-02-09 11:42:19&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; meeo.it</P><P>2023-02-09 11:15:51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; iemlfiles4.com&nbsp;&nbsp;</P><P>2023-02-09 10:26:42&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jingermy.com</P><P>From AD logs I get the DNS requests. I renamed src_ip because the field also exists in paloalto logs.</P><LI-CODE lang="markup">index="msad" sourcetype="MSAD:NT6:DNS" | eval host_querying=src_ip | table _time, domain, host_querying</LI-CODE><P>&nbsp;Those two queries work fine.</P><P>_time &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; domain &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host_querying</P><P>2023-02-09 12:23:32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; media-waw1-1.cdn.whatsapp.net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.215&nbsp;</P><P>2023-02-09 12:23:32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; scontent-otp1-1.xx.fbcdn.net&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4&nbsp;&nbsp;</P><P>2023-02-09 12:23:32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; scontent-otp1-1.xx.fbcdn.net&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.27&nbsp;&nbsp;&nbsp;&nbsp;</P><P>2023-02-09 12:23:32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; scontent-otp1-1.xx.fbcdn.net&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4&nbsp;&nbsp;</P><P>2023-02-09 12:23:32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; scontent-otp1-1.xx.fbcdn.net&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.27</P><P>Now, I would like to extract the culprit of that DNS request.</P><LI-CODE lang="markup">index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 action=dropped OR action=blocked vendor_action=sinkhole | dedup file_name | table _time, file_name | join type=left left=L right=R where L.file_name=R.domain [search index="msad" sourcetype="MSAD:NT6:DNS" | eval host_querying=src_ip | fields domain, host_querying] | table _time,file_name,host_querying </LI-CODE><P>The result, empty columns for file_name (domain) and host_querying</P><P>_time &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file_name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host_querying</P><P>2023-02-09 12:00:06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>2023-02-09 11:42:59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>Could someone point me out what I am doing wrong in the join statement?&nbsp;</P><P>thanks</P> Thu, 09 Feb 2023 11:44:12 GMT https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630270#M218965 corti77 2023-02-09T11:44:12Z https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630299#M218973 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234300">@corti77</a>,</P><P>Could you please try below. &nbsp;(Another usage of join )</P><LI-CODE lang="markup">index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 action=dropped OR action=blocked vendor_action=sinkhole | dedup file_name | table _time file_name | rename file_name as domain | join max=0 type=left domain [ search index="msad" sourcetype="MSAD:NT6:DNS" | eval host_querying=src_ip | fields domain, host_querying] | table _time domain host_querying</LI-CODE> Thu, 09 Feb 2023 14:34:57 GMT https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630299#M218973 scelikok 2023-02-09T14:34:57Z https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630301#M218975 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;,</P><P>your query does not return complete results. The host_querying has value only for the first domain, after that all are empty.&nbsp;</P><P>_time&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; domain &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host_querying</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2001:503:d414::30</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.8.8</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>2023-02-09 15:33:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; style.itinsell.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.20</P><P>2023-02-09 15:12:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>2023-02-09 14:45:27&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; meeo.it</P><P>2023-02-09 14:12:25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spacetrack.org&nbsp;</P><P>2023-02-09 12:50:06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://www.karlovy-vary.cz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;" target="_blank">www.karlovy-vary.cz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</A></P><P>2023-02-09 12:00:06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; atlhqmphssql1.eus&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>2023-02-09 11:42:59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; d2azal32wgllwk.cloudfront.net&nbsp;</P><P>And I checked the first domain without host_querying and it has many&nbsp; results.</P><LI-CODE lang="markup">index="msad" sourcetype="MSAD:NT6:DNS" direction=Snd prodaddkarl.com | eval host_querying=src_ip | table domain, host_querying</LI-CODE><P>domain &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host_querying</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.4.4</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.9</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.8.8</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8.8.8.8</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.20.9</P><P>prodaddkarl.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.31.80.30</P><P>any other idea?</P><P>thanks a lot</P> Thu, 09 Feb 2023 14:44:47 GMT https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630301#M218975 corti77 2023-02-09T14:44:47Z https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630312#M218977 <P>Hi again&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;</P><P>I just realized that the number of results in the sub-search might be the root cause of the problem. If I reduce the time frame of the search I get results in the column host_querying for all the rows.</P><P>Any other approach that might not depend on the time selection?</P><P>&nbsp;</P><P>thanks</P> Thu, 09 Feb 2023 15:18:14 GMT https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630312#M218977 corti77 2023-02-09T15:18:14Z https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630322#M218980 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;</P><P>I will close the question as I was struggling a lot with the standard DNS logs from AD.</P><P>I decided to deploy SYSMON in the workstations and the DNS is much more clear now. I still need to correlate events based in one field (domain) but I need to adjust the time, in order to identify (more or less) the originator. In case the domain was visited from several computers during the day.</P><P>Anyway, I upvoted for you, I much appreciate your help.</P><P>&nbsp;</P> Thu, 09 Feb 2023 16:23:53 GMT https://community.splunk.com/t5/Splunk-Search/Detect-host-connecting-to-malicious-domains-PaloAlto-AD-join/m-p/630322#M218980 corti77 2023-02-09T16:23:53Z