Splunk Enterprise Security

Query to find host making certain traffic

vishwanadhan_mu
Explorer

Hi All,

Could you please help me in writing a query for the below scenario:

I want find a src computer which is trying to reach out specific blocked or suspicious site everyday for the last 30-90days.

Also another query for the same but a src reaching out to multiple blocked sites everyday for last 30-90 days. (Multiple sites: the src might be reaching out same set of destination everyday)

Thanks

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Can you provide more information? Which are your data source? Are they compliant with Splunk CIM?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

vishwanadhan_mu
Explorer

For Example, DNS logs & Palo Alto

Assume computer XYZ-PC is reaching out to a blocked domain abc.com everyday .

Another case:

Computer XYZ-PC is reaching out to abc.com , asd.com & qwe.com everyday.

I will not know the domain OR url the computer is reaching out to. So, I would basically search with computer going to blocked domains/urls everyday.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...