https://github.com/dncrypter/dns-log-analysis-with-siem

In this project, I have discussed about DNS log analysis on splunk SIEM tool with help of SPL queries by using searching & reporting feature.
https://github.com/dncrypter/dns-log-analysis-with-siem

dns-server-logs log-analysis siem splunk

Last synced: 5 months ago
JSON representation

In this project, I have discussed about DNS log analysis on splunk SIEM tool with help of SPL queries by using searching & reporting feature.

• Host: GitHub
• URL: https://github.com/dncrypter/dns-log-analysis-with-siem
• Owner: DNcrypter
• Created: 2024-11-07T09:44:09.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-11-07T11:00:00.000Z (over 1 year ago)
• Last Synced: 2025-02-01T12:45:12.786Z (over 1 year ago)
• Topics: dns-server-logs, log-analysis, siem, splunk
• Homepage:
• Size: 56.5 MB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: Readme.md

Awesome Lists containing this project

README

          
# DNS Log Analysis Using Splunk SIEM

In this project, I have discussed about DNS log analysis on splunk SIEM tool with help of SPL queries by using searching & reporting feature. 

[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](https://choosealicense.com/licenses/mit/)

        [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue)](https://www.linkedin.com/in/nikhil--chaudhari/)

        [![Medium](https://img.shields.io/badge/Medium-Writeups-black)](https://medium.com/@nikhil-c)

## 🍁Introduction

DNS (Domain Name System) logs are crucial for understanding network activity and identifying potential security threats. Splunk SIEM (Security Information and Event Management) provides powerful capabilities for analyzing DNS logs and detecting anomalies or malicious activities.

## 🍁Prerequisites

- Splunk instance is installed and configured.

- DNS log data sources are configured to forward logs to Splunk.

## 🍁Upload DNS Logs File to Splunk

### 1. Prepare Sample DNS Log Files

- Obtain sample [DNS log file]() in a suitable format (e.g., text files).

- Ensure the log files contain relevant DNS events, including source IP, destination IP, domain name, query type, response code, etc.

- Save the sample log files in a directory accessible by the Splunk instance.

### 2. Upload Log Files to Splunk

- Log in to the Splunk web interface.

- Navigate to **Settings** > **Add Data**.

- Select **Upload** as the data input method.

### 3. Choose File

- Click on **Select File** and choose the sample DNS log file you prepared earlier.

### 4. Set Source Type

- In the **Set Source Type** section, specify the source type for the uploaded log file.

- Choose the appropriate source type for DNS logs (e.g., `dns` or a custom source type if applicable).

### 5. Review Settings

- Review other settings such as index, host, and sourcetype.

- Ensure the settings are configured correctly to match the sample DNS log file.

### 6. Click Upload

- Once all settings are configured, click on the **Review** button.

- Review the settings one final time to ensure accuracy.

- Click **Submit** to upload the sample DNS log file to Splunk.

### 7. Verify Upload

- After uploading, navigate to the search bar in the Splunk interface.

- Run a search query to verify that the uploaded DNS events are visible.

  

  ```spl

  index= sourcetype=

## Analyse DNS Log Files in Splunk SIEM

### 1. Search for DNS Events   

- Open Splunk interface and navigate to the search bar.   

- Enter the following search query to retrieve DNS events   

```

index=* sourcetype=dns_sample

```

### 2. Extract Relevant Fields

- Identify key fields in DNS logs such as source IP, destination IP, domain name, query type, response code, etc.   

- As mentioned below,  | regex _raw="(?i)\b(dns|domain|query|response|port 53)\b": This regex searches for common DNS-related keywords in the raw event data.

- Example extraction command:

```

index=* sourcetype=dns_sample | regex _raw="(?i)\b(dns|domain|query|response|port 53)\b"

```

### 3. Identify Anomalies

- Look for unusual patterns or anomalies in DNS activity.

- Example query to identify spikes

```

index=_* OR index=* sourcetype=dns_sample  | stats count by fqdn

```

### 4. Find the top DNS sources

- Use the top command to count the occurrences of each query type:   

```

index=* sourcetype=dns_sample | top fqdn, src_ip

```

### 5. Investigate Suspicious Domains

- Search for domains associated with known malicious activity or suspicious behavior.

- Utilize threat intelligence feeds or reputation databases to identify malicious domains such virustotal.com

- Example search for known malicious domains:

```

index=* sourcetype=dns_sample fqdn="maliciousdomain.com"

```

## 🍁Conclusion

Analyzing DNS log files using Splunk SIEM enables security professionals to detect and respond to potential security incidents effectively. By understanding DNS activity and identifying anomalies, organizations can enhance their overall security posture and protect against various cyber threats.

You can create your own use cases and search them to get required results.If you like this project star it and follow on medium for latest tech blogs.