top of page

Passive DNS with Splunk

Using Dataflect + Splunk + VirusTotal, you can quickly and easily satisfy requirements for centralized visibility into Passive DNS within your logging/SIEM solution.

Passive DNS refers to a technique used for monitoring and analyzing DNS (Domain Name System) queries and responses. This method involves collecting data passively, without actively querying DNS servers, to create a historical database of DNS requests and responses. This database can be used for various purposes, such as detecting malicious domains, tracking domain name usage, and understanding web trends.

In the context of the OMB (Office of Management and Budget) M-21-31 Memorandum, Passive DNS plays a crucial role in enhancing cybersecurity. The memorandum, which is a directive for federal agencies, emphasizes the need for improved cybersecurity measures. By using Passive DNS, federal agencies can better monitor and analyze DNS traffic to detect anomalies, track the spread of malware, and identify potential cyber threats. This proactive stance is part of a broader strategy to strengthen the security of government networks and protect against cyber attacks.

One important component necessary to satisfy this requirement is the collection of DNS requests made by clients within your environment. But this is only a piece of the puzzle. It's important to know the history of DNS resolutions for domains that might not be captured in requests made by your users/assets.

By using Dataflect to integrate your Splunk environment with VirusTotal, you can quickly, affordably, and easily add tremendous context regarding the historical DNS resolution of a hostname.

The below examples demonstrates this implementation, using the Dataflect Search capability to query the VirusTotal API for a given domain:

In the following example the logic has been modified to enclude enrichment via the Dataflect Enrich capability, showing information on VirusTotal's analysis of the associated IP address:

In the following example we use the Dataflect Enrich capability to add historical resolution context to a domain that shows up in our logs. One might use this as part of your SOAR capabilities to enrich a ticket that is being sent to your Incident Management System, or to provide context to your analysts to assist in their investigation and incident response.

Before Dataflect:

After Dataflect:

This is just one of the many ways the Dataflect can extend Splunk's native capabilities. Contact us today at to schedule a demo and see what else you can do with Dataflect.


Recent Posts

See All


bottom of page