Getting Data In

How to search for events with domains on DNS Blocklist?

waJesu
Explorer

I have lookup table with a DNS blocklist. What query can I use to search for events with any of the blocklisted domains. I had received advice to create a csv file with two columns: "Domain" and "suspicious" which is set to 1 for all the domains. Then I would search for the dns sourcetype and suspicious=1. This did not work.

Labels (1)
Tags (1)
0 Karma

tscroggins
Motivator

@waJesu 

Hi,

Let's assume your events have a field named url_domain. You can combine your lookup with a subsearch to filter events:

index=main [| inputlookup blocklist.csv where suspicious=1 | table Domain | rename Domain as url_domain ]

This expands to, for example:

index=main ( ( url_domain="foo.example.com" ) OR ( url_domain="bar.example.com" ) OR ( url_domain="baz.example.com" ) )

You can also use lookups for filtering in the search pipeline:

index=main
``` perform pre-filtering tasks here ```
| lookup blocklist.csv Domain as url_domain output suspicious

| search suspicious=1

 

0 Karma

waJesu
Explorer

@tscroggins Thank you for the assistance. I tried index=main 

| lookup blocklist.csv Domain as url_domain output suspicious
| search suspicious=1

It says  "the destination suspicious was not found in the blocklist.csv. My table looks like this:

waJesu_0-1679310636911.png

I am not sure where I missed it. 

 

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...