Skip to content

Commit e4a676f

Browse files
nsreekantansreekanta
committed
changing spl and notebook for feature transformations
1 parent 6139b72 commit e4a676f

2 files changed

+214
-80
lines changed

detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml

+16-15
Original file line numberDiff line numberDiff line change
@@ -14,21 +14,22 @@ description: The following analytic uses a pre trained deep learning model to
1414
The model is a deep learning model that accepts DNS request as input along with a few custom features to generate a
1515
pred_is_exfiltration_proba score. The higher the pred_is_exfiltration_proba, the more likely the DNS request is data exfiltration.
1616
The threshold for flagging a request as DNS exfiltration is set at 0.5.
17-
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
18-
max(_time) as lastTime from datamodel=Network_Resolution where
19-
DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest
20-
DNS.answer DNS.record_type
21-
| `drop_dm_object_name("DNS")`
22-
| rename answer as text
23-
| fields firstTime, lastTime, message_type,record_type,src,dest, text
24-
| apply detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl
25-
| rename predicted_is_unknown as is_suspicious_score
26-
| where is_suspicious_score > 0.5
27-
| `security_content_ctime(firstTime)`
28-
| `security_content_ctime(lastTime)`
29-
| rename src as "Source IP", dest as "Destination IP", text as "DNS Answer", record_type as "DNS Record Type"
30-
| table "Source IP","Destination IP","DNS Answer","DNS Record Type", firstTime, lastTime,is_suspicious_score
31-
| `detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter`'
17+
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Resolution by DNS.src _time DNS.query
18+
| `drop_dm_object_name("DNS")`
19+
| sort - _time,src, query
20+
| streamstats count as count by src query
21+
| where count < 10
22+
| table src,query,count,_time
23+
| apply dns_exfil11
24+
| table src,_time, query,count,pred_is_dns_data_exfiltration_proba,pred_is_dns_data_exfiltration
25+
| where count == 1
26+
| rename pred_is_dns_data_exfiltration_proba as is_exfiltration_score
27+
| rename pred_is_dns_data_exfiltration as is_exfiltration
28+
| where is_exfiltration_score > 0.5
29+
| `security_content_ctime(_time)`
30+
| rename src as "Source IP" _time as "time"
31+
| table "Source IP","time","query","is_exfiltration_score","is_exfiltration"
32+
| `detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter`'
3233

3334
how_to_implement: 'Steps to deploy detect DNS data exfiltration model into Splunk App
3435
DSDL. This detection depends on the Splunk app for Data Science and Deep

0 commit comments

Comments
 (0)