Investigate and monitor domains
Investigate and monitor the domains in your network that are associated with anomalies. View details about domains on the Domain Details page.
- From the Splunk UBA navigation menu select Explore > Anomalies. This opens the AnomaliesTable.
- Open an anomaly that contains a domain name, such as a Domain Name Anomaly.
- Click the domain name from the list of Domains to view the domain details.
Add a domain to a Watchlist
Monitor domains in your network by adding a domain to a Watchlist.
- From the Domain Details page, select Watchlists.
- Select a Watchlist to add the domain to the Watchlist.
Different from the domain allow list and domain deny list, you can use a domain watchlist to take action on anomalies or create custom threats that take domains on a watchlist into account. Add a domain to an allow list to make sure that events associated with the domain do not create anomalies or threats. Add a domain to a deny list to make sure that events associated with the domain create anomalies or threats. However, if you want to make sure that events associated with a domain do not create anomalies of a specific type, add the domain to a domain watchlist and create an anomaly action rule.
For example, to prevent events containing the domain http://s647gfdsfgtl.example.com from creating algorithmically generated domain anomalies, but still create a malicious domain anomaly, create an anomaly action rule. See Take action on anomalies with anomaly action rules.
Review the domain information
See all the information associated to a domain.
- Identify any threats associated with the domain, and any anomalies associated with the domain. Click a threat to open the Threats page for the domain details, or an anomaly to open the Anomalies page for the domain details.
- See all users in the anomalies associated with this domain. Click the name of a user to open the User Information page for the user. See View user information.
- Identify devices associated with the domain anomalies.
- Review the participants in any associated anomalies and the relative severity of the interactions in the Domain Relations panel. Identify if there are multiple users visiting the same questionable domain.
- Review the Domain Registrant (Whois) to see what WHOIS registration data exists for the domain.
- Determine if the domain is associated with malware or is otherwise malicious by viewing information about the domain in VirusTotal.
Review the domain anomalies
See all anomalies associated with a domain on the domain anomalies section of the domain details.
- Review the Domain Anomalies Timeline to see the types of anomalies associated with the domain over time.
- Review the Domain Anomalies Trend to identify large numbers of domain anomalies over time.
- Review the table of Domain Anomalies to see a comprehensive list of all anomalies associated with the domain.
Review the domain threats
See all threats associated with a domain on the domain threats section of the domain details.
- Review the Domain Threats Timeline to see the types of threats associated with the domain over time.
- Review the table of Domain Threats to see a comprehensive list of all threats associated with the domain.
Close threats in Splunk UBA | Investigate suspicious activity as a hunter |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!