Splunk Enterprise Security

Correlation Rule: Unauthorized DNS Server Exceptions



I'm looking at enabling the 'DNS Query Requests Resolved by Unauthorized DNS Servers' rule in Splunk ES - Unfortunately this is generating a large amount of false results.

See the search below:
| tstats summariesonly count from datamodel=NetworkResolution where DNS.destcategory != dnsserver AND DNS.srccategory != dnsserver by DNS.src DNS.dest | `dropdmobjectname("DNS")`

I want to add a list of legitimate DNS servers to this search so that the false alerts can be excluded from this.

I'm wondering what the best way to incorporate this into the search would be (potentially a lookup)?


0 Karma


A lookup is the way that I would suggest doing it.

I tested this and got this to work pretty easily. Here is how I did it:

Step 1: make a lookup file

I made a lookup file with two columns:

  1. dest
  2. approved

You can specify a value of "1" in the approved column to drop the destination from the search.

Step 2: update the search to use the lookup file

Next, I updated the search to use the lookup and drop the entries that match it:

| tstats `summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | lookup dns_exception_list dest | search NOT approved=1

Note that the lookup I created was called "dnsexceptionlist". It drops any entries where the 'approved' column has a value of '1'.

0 Karma