Investigate and monitor domains
Investigate and monitor the domains in your network associated with anomalies. View details about domains associated with anomalies on the Domain Details page.
- Click Explore > Anomalies to open the anomalies table.
- Open an anomaly that contains a domain name, such as the Blacklisted Domain anomaly or a Domain Name Anomaly.
- Click the domain name from the list of Domains to view the domain details.
Add a domain to a watchlist
Monitor domains in your network by adding a domain to a watchlist.
- From the Domain Details page, select Watchlists.
- Select a watchlist to add the domain to the watchlist.
Different from the domain allow list and domain deny list, you can use a domain watchlist to take action on anomalies or create custom threats that take domains on a watchlist into account. Add a domain to an allow list to make sure that events associated with the domain do not create anomalies or threats. Add a domain to a deny list to make sure that events associated with the domain create anomalies or threats. However, if you want to make sure that events associated with a domain do not create anomalies of a specific type, add the domain to a domain watchlist and create an anomaly action rule.
For example, to prevent events containing the domain http://s647gfdsfgtl.example.com from creating algorithmically generated domain anomalies, but still create a malicious domain anomaly, create an anomaly action rule. See Take action on anomalies with anomaly action rules.
Review the domain information
- Identify any threats associated with the domain, and any anomalies associated with the domain. Click a threat to open the Threats page for the domain details, or an anomaly to open the Anomalies page for the domain details.
- See all users in the anomalies associated with this domain. Click the name of a user to open the User Information page for the user. See View user information.
- Identify devices associated with the domain anomalies.
- Review the participants in any associated anomalies and the relative severity of the interactions in the Domain Relations panel. Identify if there are multiple users visiting the same questionable domain.
- Review the Domain Registrant (Whois) to see what WHOIS registration data exists for the domain.
- Determine if the domain is associated with malware or is otherwise malicious by viewing information about the domain in VirusTotal.
Review the domain anomalies
See all anomalies associated with a domain on the domain anomalies section of the domain details.
- Review the Domain Anomalies Timeline to see the types of anomalies associated with the domain over time.
- Review the Domain Anomalies Trend to identify large numbers of domain anomalies over time.
- Review the table of Domain Anomalies to see a comprehensive list of all anomalies associated with the domain.
Review the domain threats
See all threats associated with a domain on the domain threats section of the domain details.
- Review the Domain Threats Timeline to see the types of threats associated with the domain over time.
- Review the table of Domain Threats to see a comprehensive list of all threats associated with the domain.
Close threats in Splunk UBA
Investigate suspicious activity as a hunter
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 126.96.36.199, 5.0.5, 188.8.131.52