Re: Query Correlation

cesaralzaga · ‎05-24-2013

I was hoping that someone could help me out with a query. I am trying to correlate a DNS request to the firewall IP that was being forward. The firewall shows only the IP related to a rule that fired and I am trying to create a query that will capture the domain name query (DNS) that was associated with the rule(FIREWALL).

I have sourcetype=named query from IP: 72.9.231.10 Port:3391 Name: Paimia.com Destination: 141.101.116.157
sourectype=snort_alerts Blackhole_toolkit 141.101.116.157

I want to build a guery which will show all events from the souretype=snort Blackhole_tookit rule and destination IPs in common with destination IPs in the sourcetype=named.

kml_uvce · ‎05-24-2013

with your less information ,i built below query... here its give output from both sourcetypes and common ip.

sourcetype=snort_alerts "Blackhole_toolkit" |join ip [search sourcetype=named]

kamal singh bisht

kml_uvce · ‎05-29-2013

Please vote or accept this as ans

kamal singh bisht

cesaralzaga · ‎05-29-2013

Thanks for Your help. It was spot on.

kristian_kolb · ‎05-24-2013

without posting any sample events, it's going to be hard for anybody to help you.

Query Correlation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation