Streamlining Network Analysis with Splunk Stream and Threatbook’s OneDNS App
As we know, managing a large network environment with countless devices and users is no small feat. Trying to locate the exact source IP may feel like trying to find a needle in a haystack; that’s why we proposed the integration of the Splunk Stream app with a customised Threatbook’s OneDNS App. Splunk Stream can be used to capture, index, and analyse network data in real time. It provides the ability to gain insights into the organisation’s network traffic, detect security threats, troubleshoot network issues, and monitor network performance. In our case, we focused on the captured DNS logs. With the DNS logs, we obtained valuable information about the domain resolutions made by users and their source IPs. In order to further fine-tune the accuracy of data, we also leveraged an additional Splunk add-on app called URL Toolbox. This app correctly parses URLs and Top Level Domains to enhance the domain address analysis process.
How to install the apps?
The Splunk Stream app is available to download on Splunkbase and depending on your Splunk architecture, the deployment method varies. For example, to deploy Splunk Stream on a Managed Cloud deployment, you may need to contact your Splunk Cloud account team for installation; the installation typically involves a search head and an indexer. In terms of the OneDNS app, it is a private app that we introduced specifically for this client; for more information regarding how to obtain it and its installation process, please feel free to contact us at enquiry@vsceptre.com.
As mentioned, the OneDNS app is designed to extract data from Splunk Stream for the purpose of conducting comparisons and correlations. It traverses through the Stream index and identifies event records where the domain-related field contains a value that matches a value in the OneDNS threat intelligence database. Whenever a domain match is found, it indicates potential suspicious activity and the record is marked as a detection of malicious domain access within the company network. Furthermore, to offer our client a personalised experience, we developed a dedicated dashboard that precisely aligns with their unique requirements. We also configured alerts, ensuring that they will receive timely notifications about relevant information. This customisation allows them to swiftly access the specific insights they need, enabling prompt responses to potential threats and taking necessary actions as required.
Conclusion
In conclusion, addressing the challenge of identifying users who have accessed suspicious domains within a network can be complex, particularly in large-scale environments with limited infrastructure modifications. The integration of the Splunk Stream app and the customised Threatbook’s OneDNS app offers a compelling solution. By leveraging Splunk Stream’s real-time network data analysis capabilities, organizations can capture and analyse DNS logs, extracting valuable information about their domain resolutions and source IPs. Together with the OneDNS threat intelligence performing the data correlation, we can further enhance the efficiency of identifying suspicious users. As a result, organisations can significantly improve their security posture, taking proactive measures to protect their network infrastructure and safeguard sensitive data. This integration proves to be a valuable asset for organisations in their efforts to maintain a robust and secure digital environment.