Splunk Enterprise Security

Query to find host making certain traffic

vishwanadhan_mu
Explorer

Hi All,

Could you please help me in writing a query for the below scenario:

I want find a src computer which is trying to reach out specific blocked or suspicious site everyday for the last 30-90days.

Also another query for the same but a src reaching out to multiple blocked sites everyday for last 30-90 days. (Multiple sites: the src might be reaching out same set of destination everyday)

Thanks

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Can you provide more information? Which are your data source? Are they compliant with Splunk CIM?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

vishwanadhan_mu
Explorer

For Example, DNS logs & Palo Alto

Assume computer XYZ-PC is reaching out to a blocked domain abc.com everyday .

Another case:

Computer XYZ-PC is reaching out to abc.com , asd.com & qwe.com everyday.

I will not know the domain OR url the computer is reaching out to. So, I would basically search with computer going to blocked domains/urls everyday.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...