Navigation :

Detect Web Traffic To Dynamic Domain Providers

Description

This search looks for web connections to dynamic DNS providers.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring

Alert Volume

This search looks for web connections to dynamic DNS providers.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Techniques

Application Layer Protocol

Web Protocols

MITRE Threat Groups

APT18

APT19

APT28

APT32

APT33

APT37

APT38

APT39

APT41

BRONZE BUTLER

Cobalt Group

Dark Caracal

FIN4

Gamaredon Group

Inception

Ke3chang

Lazarus Group

Machete

Magic Hound

MuddyWater

Night Dragon

OilRig

Orangeworm

Rancor

Rocke

Sandworm Team

SilverTerrier

Stealth Falcon

TA505

Threat Group-3390

Tropic Trooper

Turla

WIRTE

Wizard Spider

Kill Chain Phases

Command and Control

Actions On Objectives

Data Sources

Web Proxy

Help
Detect Web Traffic To Dynamic Domain Providers Help This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ This search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: IsDynamicDNS, Field: isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Help

Detect Web Traffic To Dynamic Domain Providers Help

This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, dynamic_dns_providers_default.csv, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ This search produces fields (isDynDNS) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\n1. Label: IsDynamicDNS, Field: isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details

Search
\| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status \| `drop_dm_object_name("Web")` \| `security_content_ctime(firstTime)` \| `dynamic_dns_web_traffic` \| `detect_web_traffic_to_dynamic_domain_providers_filter` Open in Search

Search

| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`

Open in Search