Investigate and monitor domains
Investigate and monitor the domains in your network associated with anomalies. View details about domains associated with anomalies on the Domain Details page.
- Click Explore > Anomalies to open the anomalies table.
- Open an anomaly that contains a domain name, such as the Blacklisted Domain anomaly or a Domain Name Anomaly.
- Click the domain name from the list of Domains to view the domain details.
Add a domain to a watchlist
Monitor domains in your network by adding a domain to a watchlist.
- From the Domain Details page, select Watchlists.
- Select a watchlist to add the domain to the watchlist.
Different from the domain whitelist and domain blacklist, you can use a domain watchlist to take action on anomalies or create custom threats that take domains on a watchlist into account. Add a domain to a whitelist to make sure that events associated with the domain do not create anomalies or threats. Add a domain to a blacklist to make sure that events associated with the domain create anomalies or threats. However, if you want to make sure that events associated with a domain do not create anomalies of a specific type, add the domain to a domain watchlist and create an anomaly action rule.
For example, to prevent events containing the domain http://s647gfdsfgtl.example.com from creating algorithmically generated domain anomalies, but still create a malicious domain anomaly, create an anomaly action rule. See Take action on anomalies with anomaly action rules.
Review the domain information
- Identify any threats associated with the domain, and any anomalies associated with the domain. Click a threat to open the Threats page for the domain details, or an anomaly to open the Anomalies page for the domain details.
- See all users in the anomalies associated with this domain. Click the name of a user to open the User Information page for the user. See View user information.
- Identify devices associated with the domain anomalies.
- Review the participants in any associated anomalies and the relative severity of the interactions in the Domain Relations panel. Identify if there are multiple users visiting the same questionable domain.
- Review the Domain Registrant (Whois) to see what WHOIS registration data exists for the domain.
- Determine if the domain is associated with malware or is otherwise malicious by viewing information about the domain in VirusTotal.
Review the domain anomalies
See all anomalies associated with a domain on the domain anomalies section of the domain details.
- Review the Domain Anomalies Timeline to see the types of anomalies associated with the domain over time.
- Review the Domain Anomalies Trend to identify large numbers of domain anomalies over time.
- Review the table of Domain Anomalies to see a comprehensive list of all anomalies associated with the domain.
Review the domain threats
See all threats associated with a domain on the domain threats section of the domain details.
- Review the Domain Threats Timeline to see the types of threats associated with the domain over time.
- Review the table of Domain Threats to see a comprehensive list of all threats associated with the domain.
Delete threats and anomalies
Investigate threats from Splunk UBA using Splunk Enterprise Security
This documentation applies to the following versions of Splunk® User Behavior Analytics: 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2