Hey Splunkers,
Can someone please help me with the logic, how can I finetune the search below to detect DNS tunnelling? The one here is too noisy.. or if a better SPL is available that can be used instead.
| tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.query
| rename DNS.src as src DNS.query as message
| eval length=len(message)
| stats sum(length) as length by src
| append
[ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.answer
| rename "DNS.src" as src "DNS.answer" as message
| eval message=if(message=="unknown","", message)
| eval length=len(message)
| stats sum(length) as length by src ]
| stats sum(length) as length by src | where length > 100
Thanks!
Only looking for devices that show a high volume (in bytes rather than count) of unique DNS requests/responses will indeed probably cause a lot of noise.
Take a look at these articles to take a more advanced approach to this:
https://www.splunk.com/en_us/blog/security/hunting-your-dns-dragons.html
One of the key tricks discussed there is to also look at the entropy of the domains occuring in the query. Long, high-entropy sub-domain names are a good indicator someone is trying to hide data in DNS messages.