EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Monitor Web Traffic For Brand Abuse

The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.

Detection Query

| tstats `security_content_summariesonly`
  values(Web.url) as urls
  min(_time) as firstTime
  from datamodel=Web
  by Web.src
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse
| search domain_abuse=true
| `monitor_web_traffic_for_brand_abuse_filter`

Author

David Dorsey, Splunk

Created

2026-03-10

Tags

Brand Monitoring
Raw Content
name: Monitor Web Traffic For Brand Abuse
id: 134da869-e264-4a8f-8d7e-fcd0ec88f301
version: 9
date: '2026-03-10'
author: David Dorsey, Splunk
status: experimental
type: TTP
description: The following analytic identifies web requests to domains that closely resemble your monitored brand's domain, indicating potential brand abuse. It leverages data from web traffic sources, such as web proxies or network traffic analysis tools, and cross-references these with known domain permutations generated by the "ESCU - DNSTwist Domain Names" search. This activity is significant as it can indicate phishing attempts or other malicious activities targeting your brand. If confirmed malicious, attackers could deceive users, steal credentials, or distribute malware, leading to significant reputational and financial damage.
data_source: []
search: |
    | tstats `security_content_summariesonly`
      values(Web.url) as urls
      min(_time) as firstTime
      from datamodel=Web
      by Web.src
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse
    | search domain_abuse=true
    | `monitor_web_traffic_for_brand_abuse_filter`
how_to_implement: You need to ingest data from your web traffic. This can be accomplished by indexing data from a web proxy, or using a network traffic analysis tool, such as Bro or Splunk Stream. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.
known_false_positives: No false positives have been identified at this time.
references: []
rba:
    message: Potential Brand Abus discovered in web logs
    risk_objects:
        - field: src
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Brand Monitoring
    asset_type: Endpoint
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network