Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

DNS Report with Client IP Addresses Domain Name queried and Count Query

Authority
Posts: 15
1328     0

Hi All

Is it possibile have\build a report with the fileds in title message?

CLIENT, CLIENT_Queries and FQDN Queried

 

I try to create it "merging" in some way two existing reports wich have the fields and information needed:

DNS Top Client (without the splunk code to obtain TOP) and

DNS Domain Queried by Client

 

Some like this:

index=ib_dns_summary | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as FQDN_TOTAL by FQDN |stats sum(COUNT) as CLIENT_QUERIES by CLIENT |eventstats sum(CLIENT_QUERIES) as TotCLIENT | eventstats sum(FQDN_TOTAL) as TOTAL| rename FQDN_TOTAL as Count, FQDN as "Domain Name" | fields "Domain Name", Count, TotCLIENT

But the result is a standard event

 

Thanks in advance

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You