Splunk Enterprise Security

Excessive DNS Queries - Whitelist?

ctulumba
Engager

Hi all - I'm working to do a lot of cleanup in Splunk ES to cut down on some of the noise. The one area I'm having a ton of excess noise come in is from Excessive DNS Queries. I'm wondering if there is a way to create a "whitelist" of host names where I can filter hostnames that I know are valid and heavily used in our organization - things like office365.com and business related services that are heavily used from being counted towards DNS activity? We're spending alot of time reviewing DNS logs and 99.9% of the time the queries are valid business case uses and not security related.

Labels (1)

nmyd122
New Member

I ran into the same issue. I created a lookup table containing known dns domain names, such as "office365.com" and changed the the "Excessive DNS Queries " rule in ES to:

| tstats summariesonly=true allow_old_summaries=true
values(host) as host
count from datamodel=Network_Resolution.DNS
where "DNS.message_type"="QUERY"
NOT
[| inputlookup known_dns_queries.csv
| rename query as DNS.query]
by "DNS.src","DNS.query",sourcetype, _time span=30min
| rename "DNS.src" as "src", "DNS.query" as query

0 Karma

Daniel_K
Explorer

327 views but no answer.

We welcome an answer. 🙂

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...