Hi,
I'm looking at enabling the 'DNS Query Requests Resolved by Unauthorized DNS Servers' rule in Splunk ES - Unfortunately this is generating a large amount of false results.
See the search below:
| tstats summariesonly
count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | drop_dm_object_name("DNS")
I want to add a list of legitimate DNS servers to this search so that the false alerts can be excluded from this.
I'm wondering what the best way to incorporate this into the search would be (potentially a lookup)?
Thanks
A lookup is the way that I would suggest doing it.
I tested this and got this to work pretty easily. Here is how I did it:
I made a lookup file with two columns:
You can specify a value of "1" in the approved column to drop the destination from the search.
Next, I updated the search to use the lookup and drop the entries that match it:
| tstats `summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | lookup dns_exception_list dest | search NOT approved=1
Note that the lookup I created was called "dns_exception_list". It drops any entries where the 'approved' column has a value of '1'.