Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Defining Authorized Name Servers in ES

barcher83
Explorer
‎10-02-2019 09:20 AM

The ES correlation search 'DNS Query Requests Resolved by Unauthorized DNS Servers' determines if the traffic is to from and authorized name server by using the criteria:

DNS.dest_category != dns_server AND
DNS.src_category != dns_server

from the 'Network Resolution (DNS) > DNS' Data model.

In our environment the DNS Data Model is populated from events from Microsoft AD: Sourcetype MSAD:NT6:DNS however, dest_category and src_category are not populated by this app.

Anyone know the appropriate way to inform ES of the authorized name servers?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

starcher
Influencer
‎10-02-2019 06:22 PM

Follow the ES docs for populating asset information

View solution in original post

Reply
Solved! Jump to solution
Solution

starcher
Influencer
‎10-02-2019 06:22 PM

Follow the ES docs for populating asset information

Reply
Solved! Jump to solution

barcher83
Explorer
‎10-07-2019 08:02 AM

Thank you, yes 'category' field was not populated in our asset import.

https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Formatassetoridentitylist

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...