How to write a search to alert when workstations s...

rashid47010 · ‎08-08-2016

Hi everyone,

We have Infoblox.

Can anybody explain how can I configure an alert against only workstations who query to internet public IPs?

sundareshr · ‎08-15-2016

Have you looked at this app?

https://splunkbase.splunk.com/app/2934/#/overview

ppablo · ‎08-08-2016

Hi @rashid47010

Can you please provide more details on exactly what you need help with, what you are trying to do, your expected outcome, etc? Are you trying to come up with a Splunk search on Infoblox data to create an alert? Please include as much information as possible in your questions so users can understand the full picture of what you're trying to do so they can help you.

rashid47010 · ‎08-08-2016

HI

Let me elaborate my question again, We have infoblox and it is integrated with Splunk.

The field the_query_type is telling us the query type. For example might be it is "A", "PTR","AAAA","SRV",SOA","CNAME","TXT","NS","MX"

and we are only interested in finding the query or query_type that is sending queries to the Internet (public IPs)

Query field values:

xx.xx.xx.xxx.in-addr.arpa   
xxx04.xxxxi.xxx 
xx.x.x0.xxx.in-addr.arpa    
xx.x.xx.xxx2.in-addr.arpa   
xx.x.xx.xx.in-addr.arpa 
xx.x.xx.xx2.in-addr.arpa
ent-xxxx-rrs.symantec.com   
www.xxxt.com    
xxx.xxxi.xxx    
ntp.xxx.com

How to write a search to alert when workstations send queries to public IPs?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life