Splunk Enterprise Security

Query to find host making certain traffic

vishwanadhan_mu
Explorer

Hi All,

Could you please help me in writing a query for the below scenario:

I want find a src computer which is trying to reach out specific blocked or suspicious site everyday for the last 30-90days.

Also another query for the same but a src reaching out to multiple blocked sites everyday for last 30-90 days. (Multiple sites: the src might be reaching out same set of destination everyday)

Thanks

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Can you provide more information? Which are your data source? Are they compliant with Splunk CIM?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

vishwanadhan_mu
Explorer

For Example, DNS logs & Palo Alto

Assume computer XYZ-PC is reaching out to a blocked domain abc.com everyday .

Another case:

Computer XYZ-PC is reaching out to abc.com , asd.com & qwe.com everyday.

I will not know the domain OR url the computer is reaching out to. So, I would basically search with computer going to blocked domains/urls everyday.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...