Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlation Rule: Unauthorized DNS Server Exceptions

adam_dixon95
Explorer
‎05-23-2019 03:54 AM

Hi,

I'm looking at enabling the 'DNS Query Requests Resolved by Unauthorized DNS Servers' rule in Splunk ES - Unfortunately this is generating a large amount of false results.

See the search below:
| tstats summariesonly count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | drop_dm_object_name("DNS")

I want to add a list of legitimate DNS servers to this search so that the false alerts can be excluded from this.

I'm wondering what the best way to incorporate this into the search would be (potentially a lookup)?

Thanks

0 Karma
Reply

LukeMurphey
Champion
‎05-23-2019 09:45 AM

A lookup is the way that I would suggest doing it.

I tested this and got this to work pretty easily. Here is how I did it:

Step 1: make a lookup file

I made a lookup file with two columns:

  1. dest
  2. approved

You can specify a value of "1" in the approved column to drop the destination from the search.

Step 2: update the search to use the lookup file

Next, I updated the search to use the lookup and drop the entries that match it:

| tstats `summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | lookup dns_exception_list dest | search NOT approved=1

Note that the lookup I created was called "dns_exception_list". It drops any entries where the 'approved' column has a value of '1'.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...