05-16-2018 02:38 PM
I would like to create a report so I can drill down to find out which clients are sending queries to my "Top NXDomain" and "Top Timed-out Recursive" FQDNs. I can't seem to find an index that has both client and source data.
This would be very useful for cases where people see tens or hundreds of thousands of NXDoman or timed-out recursive hits - the next question is always "who is making all those queries?"
To simplify, I think a "Top 10 clients" report based on a FQDN filter would do the trick, if such a thing is possible.
05-17-2018 03:03 AM
You can do a simple report that list Top timeout relying on index=ib_dns_summary report=si_top_timeout_queries
and then a drilldown that triggers a search on sourcetype=ib:dns:capture index=ib_dns_capture selected_domain
Note that you must use the query capture and data connector to log all DNS queries and responses.