Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

guidance on custom search

New Member
Posts: 2
916     0

I'm trying to find some direction customizing a search string, but have not found the correct search phrase to help. I found a report (DNS Top Requested Domain Names) that is close to what I'm looking for. I would like to modify the search string behind this report to return all matching for domain names beginning with 'xyz' instead of the top requested domain names. 

 

I think the highlighted section needs to be updated, but cannot find any information on the syntax to use.

 

index=ib_dns_summary report=si_dns_requested_domain | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as FQDN_TOTAL by FQDN | sort -FQDN_TOTAL | head 10 | eventstats sum(FQDN_TOTAL) as TOTAL | eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1) | eval PHOST=FQDN+" ("+PERCENT+"%)" | rename FQDN_TOTAL as Count, PHOST as "Domain Name" | fields "Domain Name", Count

Re: guidance on custom search

[ Edited ]
Superuser
Posts: 38
916     0

Hey,

 

You can use the wildcard (*) search to filter out the domains starting with 'xyz'.

You can modify your search to include the FQDN.

index=ib_dns_summary report=si_dns_requested_domain FQDN="xyz*" | lookup......

'head 10' gives you top 10 in the list. if you want all the results you can remove this from the query.

Shukran

Re: guidance on custom search

New Member
Posts: 2
917     0

that was exactly what I was trying to get. Thanks.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You