Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

search string to find domain hits per minute over a certain time range.

New Member
Posts: 1
1483     0

Hello,

 

We wish to have a search string to get hits per domain per hour (or minute or second)?

I have found the string below regarding hits per specific domain. How to add to this hits per hour?

 

index=ib_dns_summary report=si_dns_requested_domain display_name=”External” FQDN="www.example.co.uk" OR FQDN ="example.co.uk"| rex "^(?:[^\.\n]*\.){5}(?P<DOMAINNAME>\w+\.\w+)" |stats sum(COUNT) as FQDN_TOTAL by FQDN, DOMAINNAME| sort DOMAINNAME | stats sum(FQDN_TOTAL) as "TOTAL HITS" by DOMAINNAME

 

Thanks to all,

Re: search string to find domain hits per minute over a certain time range.

[ Edited ]
Superuser
Posts: 81
1483     0

Hello alonk,

 

The predefined report that you're using here is configured to run at every 30th minute from 4
through 59. The data would include the first 30 minutes of the previous 1 hour. So apparently the COUNT you're looking at is the total # of times that the FQDN was queried for in the last 1 hour's first 30 minutes. I don't think you would need to do any changes to that raw information, unless you'd like to divide it by 1800 to convert the value to hits-per-second OR by 30 to convert it to hits-per-minute.

 

So i'd write the string to include the time period as :

 

Hits per minute :

 

index=ib_dns_summary source="si-search-dns-requested-domain"FQDN="www.example.co.uk" OR FQDN ="example.co.uk" | eval events-from=strftime(info_min_time, "%Y-%d-%m %H:%M") | eval events-to=strftime(info_max_time, "%Y-%d-%m %H:%M") | eval Hits-per-minute=tonumber(COUNT)/30 | table FQDN, events-from, events-to, Hits-per-minute

Hits per second :

 

index=ib_dns_summary source="si-search-dns-requested-domain"FQDN="www.example.co.uk" OR FQDN ="example.co.uk" | eval events-from=strftime(info_min_time, "%Y-%d-%m %H:%M") | eval events-to=strftime(info_max_time, "%Y-%d-%m %H:%M") | eval Hits-per-second=tonumber(COUNT)/1800 | table FQDN, events-from, events-to, Hits-per-second

Sample output :

 

si_dns_domain_alman.png

 

Sorry that the post was left unanswered for quite sometime. Hope this helps 

 

Best regards,

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You