Highest Registered Domain

The prelertsplitdomain function allows you to split a DNS domain name into its highest registered domain and sub-domain (where the sub-domain is everything to the left of the highest registered domain). This is useful for identifying unique external destinations when analyzing network traffic.

DNS domain name sub-domain highest registered domain
www.prelert.com www prelert.com
info.prelert.com info prelert.com
support.prelert.com support prelert.com
www.osc.state.ny.us www.osc.state ny.us
vote.nyc.ny.us vote.nyc ny.us

Syntax

Splitting the domain name is applied to the input search. The split fieldnames are passed in as input to the analysis.

Given a DNS domain name “dns_query” two new fields are created; prelerthrd containing the highest registered domain and prelertsub, the sub-domain. This will look for anomalous domains where the DNS queries contain unusually high amounts of information when compared to other domains. This may be indicative of DNS tunneling activity.

Input Search:

sourcetype=<dns> | prelertsplitdomainname domainfield=<dns_query>

Detector:

high_info_content(prelertsub) over prelerthrd

where:

prelertsplitdomain:
 A Splunk command used to split the domain name into its parts.
domainfield=<dns_query>:
 Specifies the field containing the domain name.
prelertsub:A special field that contains the sub-domain.
prelerthrd:A special field that contains the highest registered domain.

Important

This command uses native code, but is not set to always run on the current search head, so requires that the app be installed on all indexers. If the app is not installed on all indexers, prelertsplitdomainname should be preceeded by the localop command, for example:

index=dns | localop | prelertsplitdomainname domainfield=query

This page

Browse

You are here