forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get_dns_traffic_ratio.yml
40 lines (40 loc) · 1.43 KB
/
get_dns_traffic_ratio.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Get DNS traffic ratio
id: bc91a8cf-35e7-4bb2-8140-e756cc06fd73
version: 1
date: '2017-11-09'
author: Bhavin Patel, Splunk
type: Investigation
datamodel:
- Network_Traffic
description: 'This search calculates the ratio of DNS traffic originating and coming
from a host to a list of DNS servers over the last 24 hours. A high value of this
ratio could be very useful to quickly understand if a src_ip (host) is sending a
high volume of data out via port 53, could be an indicator of data exfiltration
via DNS. '
search: '| tstats allow_old_summaries=true sum(All_Traffic.bytes_out) as "bytes_out"
sum(All_Traffic.bytes_in) as "bytes_in" from datamodel=Network_Traffic where nodename=All_Traffic
All_Traffic.dest_port=53 by All_Traffic.src All_Traffic.dest| `drop_dm_object_name(All_Traffic)`
| rename src as src_ip | rename dest as dest_ip | search src_ip=$src_ip$ | search
dest_ip = $dest_ip | eval ratio = (bytes_out/bytes_in) | table ratio'
how_to_implement: You must be ingesting your network traffic
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Network ACL Activity
- Data Protection
- Dynamic DNS
- Hidden Cobra Malware
- Suspicious AWS Traffic
- Suspicious DNS Traffic
- Command And Control
product:
- Splunk Phantom
required_fields:
- _time
- All_Traffic.bytes_out
- All_Traffic.bytes_in
- All_Traffic.dest_port
- All_Traffic.src
- All_Traffic.dest
security_domain: network