For example, an attacker-controlled domain can be used as a hub for command and control communications, while another domain is used for data exfiltration. Why should you consider network activity to new domains to be suspicious and potentially malicious? Malware and malicious actors regularly use domains they own or control for a variety of nefarious purposes. The remainder of these new, never-seen-before domains represent a potential threat. Sure, there’s going to be some legitimate traffic going to a few domains today that haven’t been seen on the network before, but it’s likely to be a small percentage of the overall set of domains. After all, I can’t miss today’s xkcd or Dilbert! Applications making network requests from my laptop, phone, and other systems generally hit the same domains day in and day out as well.īut what about the small percentage of Internet domains that were requested from my network today, but were not previous destinations for my systems? This is what I mean by “new” domains. If I look at my browsing, I visit the same 20 or so websites on a daily basis. If your organization is typical, the domains that are requested from your network today have a tremendous amount of overlap with yesterday’s requests. Users (and applications) are creatures of habit. First, let’s delve into what we mean by “new” domains and why you should make a habit of detecting this activity in the first place.
Splunk inputlookup how to#
In this installment of “Hunting with Splunk: The Basics,” we’re going to look at how to detect suspicious and potentially malicious network traffic to “new” domains. I’m very proud of this piece that Andrew wrote, and I hope y'all like it as much as I do. We might be abusing the term “basics” a titch more than usual, but I believe this subject is vital for organizations.
This blog post is part thirteen of the " Hunting with Splunk: The Basics" series.
0 kommentar(er)
