Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Reporting

Reply

guidance on custom search
PhilKing
New Member
Posts: 2

‎03-08-2023 01:53 PM

1034     0

I'm trying to find some direction customizing a search string, but have not found the correct search phrase to help. I found a report (DNS Top Requested Domain Names) that is close to what I'm looking for. I would like to modify the search string behind this report to return all matching for domain names beginning with 'xyz' instead of the top requested domain names. 

 

I think the highlighted section needs to be updated, but cannot find any information on the syntax to use.

 

index=ib_dns_summary report=si_dns_requested_domain | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as FQDN_TOTAL by FQDN | sort -FQDN_TOTAL | head 10 | eventstats sum(FQDN_TOTAL) as TOTAL | eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1) | eval PHOST=FQDN+" ("+PERCENT+"%)" | rename FQDN_TOTAL as Count, PHOST as "Domain Name" | fields "Domain Name", Count

Reply
0 Kudos

Re: guidance on custom search

[ Edited ]
shukran
Superuser
Posts: 38

‎03-09-2023 09:32 PM - edited ‎03-09-2023 09:33 PM

1034     0

Hey,

 

You can use the wildcard (*) search to filter out the domains starting with 'xyz'.

You can modify your search to include the FQDN.

index=ib_dns_summary report=si_dns_requested_domain FQDN="xyz*" | lookup......

'head 10' gives you top 10 in the list. if you want all the results you can remove this from the query.

Shukran
Reply

Re: guidance on custom search
PhilKing
New Member
Posts: 2

‎03-10-2023 07:28 AM

1034     0

that was exactly what I was trying to get. Thanks.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community