Splunk Enterprise Security

Web application firewall use case: How to find top targeted domain on my domain?

k115
Engager

Hi Team,

I am working on web application firewall related use case, I wanna find out top targeted domain on my domain.

I just try to work with index=netwaf

Example: my domain is example.com, so there is a bunch of subdomains, So I  just want to find top targeted domains with traffic size  ( if it is malicious would be great )

please I need help quickly.

 

Labels (2)
Tags (3)
0 Karma

lblystone
Splunk Employee
Splunk Employee

Have you checked out the URL toolbox app? It has some handy macros that allow you to parse domains & TLDs. https://splunkbase.splunk.com/app/2734

 

If you want to see the top domains (after you remove the subdomains), try a search like the one below. I would look for a field in your web app logs that might indicate if it is malicious or not. Otherwise, you will need to add some kind of threat intelligence list to ES to cross-reference malicious sites with what is found in your logs.  

index=netwaf | stats sum(bytes) as total_bytes count by domain

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...