Splunk Enterprise Security

Defining Authorized Name Servers in ES

barcher83
Explorer

The ES correlation search 'DNS Query Requests Resolved by Unauthorized DNS Servers' determines if the traffic is to from and authorized name server by using the criteria:

DNS.dest_category != dns_server AND
DNS.src_category != dns_server

from the 'Network Resolution (DNS) > DNS' Data model.

In our environment the DNS Data Model is populated from events from Microsoft AD: Sourcetype MSAD:NT6:DNS however, dest_category and src_category are not populated by this app.

Anyone know the appropriate way to inform ES of the authorized name servers?

0 Karma
1 Solution

starcher
SplunkTrust
SplunkTrust

Follow the ES docs for populating asset information

View solution in original post

starcher
SplunkTrust
SplunkTrust

Follow the ES docs for populating asset information

barcher83
Explorer

Thank you, yes 'category' field was not populated in our asset import.

https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Formatassetoridentitylist

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...