- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query to find host making certain traffic
Hi All,
Could you please help me in writing a query for the below scenario:
I want find a src computer which is trying to reach out specific blocked or suspicious site everyday for the last 30-90days.
Also another query for the same but a src reaching out to multiple blocked sites everyday for last 30-90 days. (Multiple sites: the src might be reaching out same set of destination everyday)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Can you provide more information? Which are your data source? Are they compliant with Splunk CIM?
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For Example, DNS logs & Palo Alto
Assume computer XYZ-PC is reaching out to a blocked domain abc.com everyday .
Another case:
Computer XYZ-PC is reaching out to abc.com , asd.com & qwe.com everyday.
I will not know the domain OR url the computer is reaching out to. So, I would basically search with computer going to blocked domains/urls everyday.
