forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtrain_dns_query_length.yml
More file actions
51 lines (51 loc) · 2.3 KB
/
train_dns_query_length.yml
File metadata and controls
51 lines (51 loc) · 2.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -31d@d
latest_time: -1d@d
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.query
DNS.record_type | search DNS.record_type=* | `drop_dm_object_name("DNS")` |
eval query_length = len(query) | fit DensityFunction query_length by record_type
into dns_query_pdfmodel'
creation_date: '2019-05-08'
data_metadata:
data_models:
- Network_Resolution
data_source:
- DNS
providing_technologies:
- Splunk Stream
- Bro
description: This search is used to build a Machine Learning Toolkit (MLTK) model
to characterize the length of the DNS queries for each DNS record type observed
in the environment. By default, the search uses the last 30 days of data to build
the model. The model created by this search is then used in the corresponding detection
search, which uses it to identify outliers in the length of the DNS query.
eli5: Create a machine-learning (ML) model to characterize the length of DNS requests
seen in your environment to help identify unusually long ones that may be indicative
of attacker infrastrucutre or the use of DNS as a command-and-control channel in
your environment.
how_to_implement: To successfully implement this search, you will need to ensure that
DNS data is populating the Network_Resolution data model. In addition, you must
have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any
required dependencies. By default, the search builds the model using the past 30
days of data. You can modify the search window to build the model over a longer
period of time, which may give you better results. You may also want to periodically
re-run this search to rebuild the model with the latest data. More information on
the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.
id: c914844c-0ff5-4efc-8d44-c063443129ba
known_false_positives: ''
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
modification_date: '2019-05-08'
name: Baseline of DNS Query Length - MLTK
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
spec_version: 2
type: splunk
version: '1.0'