Hi all - I'm working to do a lot of cleanup in Splunk ES to cut down on some of the noise. The one area I'm having a ton of excess noise come in is from Excessive DNS Queries. I'm wondering if there is a way to create a "whitelist" of host names where I can filter hostnames that I know are valid and heavily used in our organization - things like office365.com and business related services that are heavily used from being counted towards DNS activity? We're spending alot of time reviewing DNS logs and 99.9% of the time the queries are valid business case uses and not security related.
I ran into the same issue. I created a lookup table containing known dns domain names, such as "office365.com" and changed the the "Excessive DNS Queries " rule in ES to:
| tstats summariesonly=true allow_old_summaries=true
values(host) as host
count from datamodel=Network_Resolution.DNS
where "DNS.message_type"="QUERY"
NOT
[| inputlookup known_dns_queries.csv
| rename query as DNS.query]
by "DNS.src","DNS.query",sourcetype, _time span=30min
| rename "DNS.src" as "src", "DNS.query" as query
327 views but no answer.
We welcome an answer. 🙂