Hey Splunkers,

Can someone please help me with the logic, how can I finetune the search below to detect DNS tunnelling? The one here is too noisy.. or if a better SPL is available that can be used instead.

| tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.query
| rename DNS.src as src DNS.query as message 
| eval length=len(message) 
| stats sum(length) as length by src 
| append 
    [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.answer
    | rename "DNS.src" as src "DNS.answer" as message 
    | eval message=if(message=="unknown","", message) 
    | eval length=len(message) 
    | stats sum(length) as length by src ] 
| stats sum(length) as length by src | where length > 100

Thanks!