splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 5 LAB · LAB 5 — DNS TUNNELING HUNT· week 1
Hunt DNS tunneling — abnormal subdomains and excessive TXT queries on Zeek logs.
- ›Threat intel reports DNS exfil tooling in the wild.
- ›Run pre-loaded SPL on Zeek dns logs.
- ›Flag any host > 200 unique TXT queries / 10 min.
Hint: unique_q > 1000 is almost certainly tunneling. 10.4.12.91 is the smoking gun.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2