Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Investigate and monitor domains

Investigate and monitor the domains in your network associated with anomalies. View details about domains associated with anomalies on the Domain Details page.

  1. Click Explore > Anomalies to open the anomalies table.
  2. Open an anomaly that contains a domain name, such as the Blacklisted Domain anomaly or a Domain Name Anomaly.
  3. Click the domain name from the list of Domains to view the domain details.

Add a domain to a watchlist

Monitor domains in your network by adding a domain to a watchlist.

  1. From the Domain Details page, select Watchlists.
  2. Select a watchlist to add the domain to the watchlist.

Different from the domain whitelist and domain blacklist, you can use a domain watchlist to take action on anomalies or create custom threats that take domains on a watchlist into account. Add a domain to a whitelist to make sure that events associated with the domain do not create anomalies or threats. Add a domain to a blacklist to make sure that events associated with the domain create anomalies or threats. However, if you want to make sure that events associated with a domain do not create anomalies of a specific type, add the domain to a domain watchlist and create an anomaly action rule.

For example, to prevent events containing the domain http://s647gfdsfgtl.example.com from creating algorithmically generated domain anomalies, but still create a malicious domain anomaly, create an anomaly action rule. See Take action on anomalies with anomaly action rules.

Review the domain information

  • Identify any threats associated with the domain, and any anomalies associated with the domain. Click a threat to open the Threats page for the domain details, or an anomaly to open the Anomalies page for the domain details.
  • See all users in the anomalies associated with this domain. Click the name of a user to open the User Information page for the user. See View user information.
  • Identify devices associated with the domain anomalies.
  • Review the participants in any associated anomalies and the relative severity of the interactions in the Domain Relations panel. Identify if there are multiple users visiting the same questionable domain.
  • Review the Domain Registrant (Whois) to see what WHOIS registration data exists for the domain.
  • Determine if the domain is associated with malware or is otherwise malicious by viewing information about the domain in VirusTotal.

Review the domain anomalies

See all anomalies associated with a domain on the domain anomalies section of the domain details.

  • Review the Domain Anomalies Timeline to see the types of anomalies associated with the domain over time.
  • Review the Domain Anomalies Trend to identify large numbers of domain anomalies over time.
  • Review the table of Domain Anomalies to see a comprehensive list of all anomalies associated with the domain.

Review the domain threats

See all threats associated with a domain on the domain threats section of the domain details.

  • Review the Domain Threats Timeline to see the types of threats associated with the domain over time.
  • Review the table of Domain Threats to see a comprehensive list of all threats associated with the domain.
Last modified on 07 January, 2020
PREVIOUS
Delete threats and anomalies
  NEXT
Investigate threats from Splunk UBA using Splunk Enterprise Security

This documentation applies to the following versions of Splunk® User Behavior Analytics: 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters