-
Notifications
You must be signed in to change notification settings - Fork 391
/
Copy pathdnstwist_domain_names.yml
30 lines (30 loc) · 1.11 KB
/
dnstwist_domain_names.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: DNSTwist Domain Names
id: 19f7d2ec-6028-4d01-bcdb-bda9a034c17f
version: 2
date: '2018-10-08'
author: David Dorsey, Splunk
type: Baseline
status: production
description: This search creates permutations of your existing domains, removes the
valid domain names and stores them in a specified lookup file so they can be checked
for in the associated detection searches.
search: '| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse="true"
| table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count'
how_to_implement: To successfully implement this search you need to update the file
called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv`
and `cim_corporate_web_domains.csv` from **Splunk\_SA\_CIM**.
known_false_positives: none
references: []
tags:
analytic_story:
- Brand Monitoring
- Suspicious Emails
detections:
- Monitor Email For Brand Abuse
- Monitor DNS For Brand Abuse
- Monitor Web Traffic For Brand Abuse
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network