Is it possible to create a splunk alert anytime a domain name is queried for the 1st time within an organisation? E.G. An employee clicks on a link in a phishing email?
Sure, provided you have events in Splunk that tell you when a DNS query occurred for what host.
You'd build a summary index that stores the first occurrence for each queried host. You'd write a summarizing search that adds new hosts to that summary index frequently, and an alert that fires whenever new data is added to the summary index.
Great, Thanks!