Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Reporting

Reply

guidance on custom search

New Member
Posts: 2
1258     0

I'm trying to find some direction customizing a search string, but have not found the correct search phrase to help. I found a report (DNS Top Requested Domain Names) that is close to what I'm looking for. I would like to modify the search string behind this report to return all matching for domain names beginning with 'xyz' instead of the top requested domain names. 

 

I think the highlighted section needs to be updated, but cannot find any information on the syntax to use.

 

index=ib_dns_summary report=si_dns_requested_domain | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as FQDN_TOTAL by FQDN | sort -FQDN_TOTAL | head 10 | eventstats sum(FQDN_TOTAL) as TOTAL | eval PERCENT=round(FQDN_TOTAL*100/TOTAL, 1) | eval PHOST=FQDN+" ("+PERCENT+"%)" | rename FQDN_TOTAL as Count, PHOST as "Domain Name" | fields "Domain Name", Count

Re: guidance on custom search

[ Edited ]
Superuser
Posts: 38
1259     0

Hey,

 

You can use the wildcard (*) search to filter out the domains starting with 'xyz'.

You can modify your search to include the FQDN.

index=ib_dns_summary report=si_dns_requested_domain FQDN="xyz*" | lookup......

'head 10' gives you top 10 in the list. if you want all the results you can remove this from the query.

Shukran

Re: guidance on custom search

New Member
Posts: 2
1259     0

that was exactly what I was trying to get. Thanks.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You