Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dns Queries

eamonnr
New Member
‎02-24-2014 01:11 PM

Is it possible to create a splunk alert anytime a domain name is queried for the 1st time within an organisation? E.G. An employee clicks on a link in a phishing email?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-24-2014 01:46 PM

Sure, provided you have events in Splunk that tell you when a DNS query occurred for what host.

You'd build a summary index that stores the first occurrence for each queried host. You'd write a summarizing search that adds new hosts to that summary index frequently, and an alert that fires whenever new data is added to the summary index.

0 Karma
Reply

eamonnr
New Member
‎02-24-2014 02:42 PM

Great, Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...