Detection Of DNS Tunnels
This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. Deprecated because existing detection is doing the same.
Detection Of DNS Tunnels Help
To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the NetworkResolution data model. Fields like srccategory are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the
Open in Search