forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdiscover_dns_records.yml
More file actions
52 lines (52 loc) · 2.29 KB
/
discover_dns_records.yml
File metadata and controls
52 lines (52 loc) · 2.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
baseline:
splunk:
schedule:
cron_schedule: 0 0 1 * *
earliest_time: -30d@d
latest_time: -10m@m
search: '| inputlookup cim_corporate_email_domains.csv | inputlookup append=T
cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv |
eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats `security_content_summariesonly`
count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution
where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query
| rename DNS.query as query | where query!="unknown" | rex field=query "(?<domain>\w+\.\w+?)(?:$|/)"]
| makemv delim=" " answer | makemv delim=" " type | sort -count | table count,domain,type,query,answer
| outputlookup createinapp=true discovered_dns_records.csv'
creation_date: '2019-02-14'
data_metadata:
data_models:
- Network_Resolution
data_source:
- Network Communication
providing_technologies:
- Splunk Stream
- Bro
description: The search takes corporate and common cloud provider domains configured
under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv`
finds their responses across the last 30 days from data in the `Network_Resolution
` datamodel, then stores the output under the `discovered_dns_records.csv` lookup
eli5: Discover the DNS records and their answers for domains owned by the company
using network traffic events. The discovered events are exported as a lookup named
`discovered_dns_records.csv`
entities:
- query
- answer
how_to_implement: To successfully implement this search, you must be ingesting DNS
logs, and populating the Network_Resolution data model. Also make sure that the
cim_corporate_web_domains and cim_corporate_email_domains lookups are populated
with the domains owned by your corporation
id: c096f721-8842-42ce-bfc7-74bd8c72b7c3
known_false_positives: 'Please vet the lookup created by this baseline search '
maintainers:
- company: Splunk
email: jhernandez@splunk.com
name: Jose Hernandez
modification_date: '2019-02-14'
name: Discover DNS records
original_authors:
- company: Splunk
email: jhernandez@splunk.com
name: Jose Hernandez
spec_version: 2
type: splunk
version: '1.0'