Looks like you have DNS data indexed in Packetbeat. Here's a sample query to look for some interesting domains.
curl http://<elasticsearch>:9200/packetbeat-*/dns/_search?pretty -d'
{
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-4h"
}
}
},
"must_not": {
"terms": {
"dns.question.etld_plus_one": [
"akadns.net.",
"amazonaws.com.",
"apple.com.",
"apple-dns.net.",
"cloudfront.net.",
"icloud.com.",
"in-addr.arpa.",
"google.com.",
"yahoo.com."
]
}
}
}
},
"size": 0,
"aggs": {
"by_domain": {
"terms": {
"size": 0,
"field": "dns.question.etld_plus_one"
},
"aggs": {
"unique_hostnames": {
"cardinality": {
"field": "dns.question.name"
}
},
"total_bytes_in": {
"sum": {
"field": "bytes_in"
}
},
"total_bytes_out": {
"sum": {
"field": "bytes_out"
}
},
"high_num_hostnames": {
"bucket_selector": {
"buckets_path": {
"unique_hostnames": "unique_hostnames"
},
"script": "unique_hostnames > 10"
}
}
}
}
}
}'