Excessive DNS Queries - Whitelist?

ctulumba · ‎06-26-2018

Hi all - I'm working to do a lot of cleanup in Splunk ES to cut down on some of the noise. The one area I'm having a ton of excess noise come in is from Excessive DNS Queries. I'm wondering if there is a way to create a "whitelist" of host names where I can filter hostnames that I know are valid and heavily used in our organization - things like office365.com and business related services that are heavily used from being counted towards DNS activity? We're spending alot of time reviewing DNS logs and 99.9% of the time the queries are valid business case uses and not security related.

nmyd122 · ‎05-26-2020

I ran into the same issue. I created a lookup table containing known dns domain names, such as "office365.com" and changed the the "Excessive DNS Queries " rule in ES to:

| tstats summariesonly=true allow_old_summaries=true
values(host) as host
count from datamodel=Network_Resolution.DNS
where "DNS.message_type"="QUERY"
NOT
[| inputlookup known_dns_queries.csv
| rename query as DNS.query]
by "DNS.src","DNS.query",sourcetype, _time span=30min
| rename "DNS.src" as "src", "DNS.query" as query

Daniel_K · ‎11-22-2019

327 views but no answer.

We welcome an answer. 🙂

Excessive DNS Queries - Whitelist?

using Enterprise Security

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!