DNS Record Changed


The search takes the DNS records and their answers results of the discovereddnsrecords lookup and finds if any records have changed by searching DNS response from the Network_Resolution datamodel across the last day.


DNS Record Changed Help

To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that the discover_dns_record lookup table be populated by the included support search "Discover DNS record". \ Splunk>Phantom Playbook Integration\ If Splunk>Phantom is also configured in your environment, a Playbook called "DNS Hijack Enrichment" can be configured to run when any results are found by this detection search. The playbook takes in the DNS record changed and uses Geoip, whois, Censys and PassiveTotal to detect if DNS issuers changed. To use this integration, install the Phantom App for Splunk https://splunkbase.splunk.com/app/3411/, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:https://my.phantom.us/4.2/playbook/dns-hijack-enrichment/).\


Open in Search

   Baseline Generation Searches

This detection relies on the following search to generate the baseline lookup.

  • Discover DNS records