-
Notifications
You must be signed in to change notification settings - Fork 383
/
Copy pathbaseline_of_dns_query_length___mltk.yml
45 lines (45 loc) · 2 KB
/
baseline_of_dns_query_length___mltk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: Baseline of DNS Query Length - MLTK
id: c914844c-0ff5-4efc-8d44-c063443129ba
version: 1
date: '2019-05-08'
author: Rico Valdez, Splunk
type: Baseline
status: production
description: This search is used to build a Machine Learning Toolkit (MLTK) model
to characterize the length of the DNS queries for each DNS record type observed
in the environment. By default, the search uses the last 30 days of data to build
the model. The model created by this search is then used in the corresponding detection
search, which uses it to identify outliers in the length of the DNS query.
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution
by DNS.query DNS.record_type | search DNS.record_type=* | `drop_dm_object_name("DNS")`
| eval query_length = len(query) | fit DensityFunction query_length by record_type
into dns_query_pdfmodel'
how_to_implement: To successfully implement this search, you will need to ensure that
DNS data is populating the Network_Resolution data model. In addition, you must
have the Machine Learning Toolkit (MLTK) version >= 4.2 installed, along with any
required dependencies. By default, the search builds the model using the past 30
days of data. You can modify the search window to build the model over a longer
period of time, which may give you better results. You may also want to periodically
re-run this search to rebuild the model with the latest data. More information on
the algorithm used in the search can be found at
`https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.
known_false_positives: none
references: []
tags:
analytic_story:
- Hidden Cobra Malware
- Suspicious DNS Traffic
- Command And Control
detections:
- DNS Query Length Outliers - MLTK
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
deployment:
scheduling:
cron_schedule: 0 0 */30 * *
earliest_time: -30d@d
latest_time: -1d@d
schedule_window: auto