[BUG] DNS Query Length With High Standard Deviation

[josehelps]

Reported via EMAIL by Sebastian Wurl

Hi Splunk,

I recognized a potential error in “DNS Query Length With High Standard Deviation” (https://research.splunk.com/network/1a67f15a-f4ff-4170-84e9-08cf6f75d6f5/)

The search starts with:

| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where NOT DNS.message_type IN("Pointer","PTR") by DNS.query host

According to the CIM documentation, the field message_type expects values “Query” or “Response”.

While the record_type expects values like “PTR”:

So I assume the filter should be adjusted to NOT DNS.record_type IN("Pointer","PTR") within the SPL.

[josehelps]

Hey just a heads up this has now been resolved on https://github.com/splunk/security_content/releases/tag/v4.24.0 please let us know if you run into anything else and thank you again for raising this!