Splunk Enterprise

How do I feed request and response events to the Network Resolution datamodel?

MonkeyK
Builder

We've been trying to set up the CIM datamodels in our environment.   One that seems particularly useful is Network_Resolution (DNS).  Network Resolution has just one dataset for DNS and the events look like they intend to capture request and response data

  • answer
  • dest
  • message_type
  • query
  • query_type
  • reply code  
  • src

of these some are clearly related to the request and some are clearly related to an answer.  

Is the idea that the datamodel should be populated with just query data (no answer) for message type=query? and just response data (no query/query type) for message_type=response?

Or is there some effort that should be made to correlate the request and responses? so that each record contains everything where possible?

 

We did set up Splunk Stream to handle DNS.  Splunk stream tries to pair up request and response but seems to miss some pairings: I find that about 30% of DNS events from Splunk Stream have both request and response, ~40% have only query, and ~30% have only response

so it would be possible to add 30% of DNS events to Network Resolution with both query and response, but then the rest would have to be just query or just response events -- missing the other fields.  Or I could just split out the query and response from the joint records. 

Does anyone who uses Network Resolution (especially in ES) have a recommendation on how to do this?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...