Splunk Search

How to write a search to alert when workstations send queries to public IPs?

rashid47010
Communicator

Hi everyone,

We have Infoblox.

Can anybody explain how can I configure an alert against only workstations who query to internet public IPs?

0 Karma

sundareshr
Legend
0 Karma

ppablo
Retired

Hi @rashid47010

Can you please provide more details on exactly what you need help with, what you are trying to do, your expected outcome, etc? Are you trying to come up with a Splunk search on Infoblox data to create an alert? Please include as much information as possible in your questions so users can understand the full picture of what you're trying to do so they can help you.

rashid47010
Communicator

HI

Let me elaborate my question again, We have infoblox and it is integrated with Splunk.

The field the_query_type is telling us the query type. For example might be it is "A", "PTR","AAAA","SRV",SOA","CNAME","TXT","NS","MX"

and we are only interested in finding the query or query_type that is sending queries to the Internet (public IPs)

Query field values:

xx.xx.xx.xxx.in-addr.arpa   
xxx04.xxxxi.xxx 
xx.x.x0.xxx.in-addr.arpa    
xx.x.xx.xxx2.in-addr.arpa   
xx.x.xx.xx.in-addr.arpa 
xx.x.xx.xx2.in-addr.arpa
ent-xxxx-rrs.symantec.com   
www.xxxt.com    
xxx.xxxi.xxx    
ntp.xxx.com 
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...