So I know there is a newer app called Stream. It has a massive amount of DNS queries from 100 hosts at least in Stream. If I need to pull data from that to generate the report, how can I narrow the DNS queries that Stream has captured since malware is using internal DNS and we have no clue which to look for. This may be a case of DNS tunneling but Steam doesn't have friendly means to 'search this from within ES'. While I haven't been given a time of day or the days in question, its probably daily. I need to be able to not only have myself do this by users that are not going to use Splunk SPL. The are used to using ArcSight and it constantly displays current, live data, not static data that has been search. Then they build a report or a trend and get that automatically sent to them via email in ArcSight. This is the expectation for enterprise management, incident response or even MSSP who do not want their clients accessing Splunk!
Why Splunk is at the top of Gartner Quadrant (I have no idea why) - their certs training focus on too much sales scenarios. Rarely does a SIEM serve the purpose of sales (lack of insight on cert training). What we need is to, show me DNS records over a period of time, display the src host and where are they sending that request to because I can't t urn on debugging modes in a network that spans the nation and globe. I need some practical scenarios where one would be able to search for DNS logs performed on what host, to where, by requested by what client because we have a serious incident that we need to figure out across 1 million hosts or more where this potential DNS tunneling is coming to. I can't get the Stream app to really dive down into this as most people want reports, they do not or cannot log into Splunk. Has anyone used Stream and and ES that can comment how they have done this?
Thx
↧