get_process_responsible_for_the_dns_traffic.yml

name: Get Process Responsible For The DNS Traffic
id: 910e6512-edc9-4f93-ba24-5b786f47a672
version: 2
date: '2019-04-01'
author: Bhavin Patel, Splunk
type: Investigation
datamodel:
- Endpoint
description: While investigating, an analyst will want to know what process and parent_process
  is responsible for generating suspicious DNS traffic. Use the following search and
  enter the value of `dest` in the search to get specific details on the process responsible
  for creating the DNS traffic.
search: '| tstats `security_content_summariesonly` count min(_time) max(_time) as
  lastTime from datamodel=Endpoint.Processes by Processes.parent_process Processes.process_name
  Processes.user Processes.dest Processes.process_id | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search
  dest = $dest$ | join dest type=inner [| tstats `security_content_summariesonly`
  count from datamodel=Endpoint.Ports where Ports.dest_port=53 by Ports.process_id
  Ports.src | `drop_dm_object_name(Ports)` | rename src as dest]'
how_to_implement: You must be ingesting endpoint data that associates processes with
  network events into the Endpoint datamodel. This can come from endpoint protection
  products such as carbon black, or endpoint data sources such as Sysmon.
known_false_positives: ''
references: []
tags:
  analytic_story:
  - AWS Network ACL Activity
  - Brand Monitoring
  - Data Protection
  - Dynamic DNS
  - Hidden Cobra Malware
  - Suspicious AWS Traffic
  - Suspicious DNS Traffic
  - Command And Control
  product:
  - Splunk Phantom
  required_fields:
  - _time
  - Processes.user
  - Processes.process_id
  - Processes.process_name
  - Processes.dest
  - Processes.parent_process
  - Ports.process_id
  - Ports.src
  - Ports.dest_port
  security_domain: endpoint