Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

Discovering client that queries non-FQDN according to DNS-suffix searchlist

New Member
Posts: 1
8223     0

The company have been using the DNS-suffixlist instead of using FQDN. The list have been rather a long one. 

 

In an attempt to shorten the list for security and performance reasons we reconfigured clients and applications but would like to make sure that we have accomplished that clients are now using FQDN rather than using hostnames and leaving the suffix-query searching to the absolut minimum.

 

My question is regarding Reporting:

 

Is there a Splunk-query i could do to catch clients that queries the searchlist one by one, row by row, step by step for a hostname+domainsuffix?

 

Thanx

Re: Discovering client that queries non-FQDN according to DNS-suffix searchlist

Expert
Posts: 12
8224     0

I'm sure there is, but would a simplier query just be to look at your high NXDOMAIN query source clients.   Most of our suffix search list abusers are also on the top NXDOMAIN requests as well.   The other search that jumps out is when they add the suffix onto a valid FQDN.   

 

ie you wind up with "servername.2nd-level.infoblox.com.infoblox.com"   

 

Those are usually pretty easy to sort to the top of the query list as well.


Showing results for 
Search instead for 
Did you mean: 

Recommended for You