Splunk Enterprise Security

Query to find host making certain traffic


Hi All,

Could you please help me in writing a query for the below scenario:

I want find a src computer which is trying to reach out specific blocked or suspicious site everyday for the last 30-90days.

Also another query for the same but a src reaching out to multiple blocked sites everyday for last 30-90 days. (Multiple sites: the src might be reaching out same set of destination everyday)


0 Karma


Can you provide more information? Which are your data source? Are they compliant with Splunk CIM?

Hope I was able to help you. If so, some karma would be appreciated.
0 Karma


For Example, DNS logs & Palo Alto

Assume computer XYZ-PC is reaching out to a blocked domain abc.com everyday .

Another case:

Computer XYZ-PC is reaching out to abc.com , asd.com & qwe.com everyday.

I will not know the domain OR url the computer is reaching out to. So, I would basically search with computer going to blocked domains/urls everyday.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...