Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Reporting

Reply
Highlighted

DNS Tunneling events Reports

Adviser
Posts: 82
1406     0

I have been asked how to build a report showing the domains used by the dns tunneling, here is the 3 ways I have figured out. Tell me if you see a better way, I will be happy to improve it

 

1) verbose - showing all the hits:

index=ib_security_summary report=si_dns_tunneling_activity
| append
[ search index=ib_dns_summary report=si_dns_rpz_hits
| eval JOIN_FIELD=1
| join JOIN_FIELD
[ | inputlookup analytics_rpz_lookup
| eval JOIN_FIELD=1 ]
| where like(RPZ_QNAME, "%" + ANALYTICS_RPZ)
| where MITIGATION_ACTION != "ER"
| eval DNST_CATEGORY="Detected by Analytics Engine"
| eval RULE_DESCRIPTION=ANALYTICS_RPZ]
| stats sum(TOTAL_COUNT) as ACTIVE_COUNT by CLIENT, DNST_CATEGORY, RULE_DESCRIPTION,RPZ_QNAME

 Capture d’écran 2017-02-21 à 22.52.25.png


2) less verbose - 3 label aggregation
index=ib_security_summary report=si_dns_tunneling_activity
| append
[ search index=ib_dns_summary report=si_dns_rpz_hits | rex field=RPZ_QNAME "(?<l3domain>[^\.]+\.[^\.]+\.[^\.]+)\.[^\.]+$"
| eval JOIN_FIELD=1
| join JOIN_FIELD
[ | inputlookup analytics_rpz_lookup
| eval JOIN_FIELD=1 ]
| where like(RPZ_QNAME, "%" + ANALYTICS_RPZ)
| where MITIGATION_ACTION != "ER"
| eval DNST_CATEGORY="Detected by Analytics Engine"
| eval RULE_DESCRIPTION=ANALYTICS_RPZ]
| stats sum(TOTAL_COUNT) as ACTIVE_COUNT by CLIENT, DNST_CATEGORY, RULE_DESCRIPTION, l3domain

Capture d’écran 2017-02-21 à 23.09.17.png

 


3) even less verbose - 2 labels aggregation

index=ib_security_summary report=si_dns_tunneling_activity
| append
[ search index=ib_dns_summary report=si_dns_rpz_hits | rex field=RPZ_QNAME "(?<l2domain>[^\.]+\.[^\.]+)\.[a-z]+$"
| eval JOIN_FIELD=1
| join JOIN_FIELD
[ | inputlookup analytics_rpz_lookup
| eval JOIN_FIELD=1 ]
| where like(RPZ_QNAME, "%" + ANALYTICS_RPZ)
| where MITIGATION_ACTION != "ER"
| eval DNST_CATEGORY="Detected by Analytics Engine"
| eval RULE_DESCRIPTION=ANALYTICS_RPZ]
| stats sum(TOTAL_COUNT) as ACTIVE_COUNT by CLIENT, DNST_CATEGORY, RULE_DESCRIPTION, l2domain

 

Capture d’écran 2017-02-21 à 23.06.01.png

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.
Showing results for 
Search instead for 
Do you mean 

Recommended for You