topic web gateway filter activity to urls in Getting Data In

web gateway filter activity to urls

daveevad — Fri, 19 Jun 2020 01:08:27 GMT

i have 117 sites listed from homeland security. i need to check if any of our machine have visited them. We have McAfee web gateway logs funneled into splunk. What's the best way to go about looking for that activity?

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 14:24:50 GMT

ok, maybe i was making this harder than it needs to be. I can do this for example...
source=Webgateway walmart.com
i get alot of hits, of course. Do i have to do this 117 times, one for each url/ftp site?

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 14:32:09 GMT

can i use "OR" statements between urls to search for several at one time?

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 14:34:33 GMT

Ah, answer is yes. How many can i string together?

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 15:05:44 GMT

apparently at least 10 sites. Was able to do searching without errors. Talked myself through this. I good now. Open to better ways though!
Thanks.

Re: web gateway filter activity to urls

manjunathmeti — Fri, 13 Mar 2020 16:04:33 GMT

Are these website values part of a field in the data?

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 17:22:56 GMT

as in my example for a walmart.com search, it showed up as
dhost="beacon.walmart.com"
That what you mean?

Re: web gateway filter activity to urls

manjunathmeti — Fri, 13 Mar 2020 17:26:08 GMT

yes, are other website names are part of this field?

Provide some sample for below query.

source=Webgateway | head 20 | table dhost

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 17:31:17 GMT

i had 117 various urls and ftp sites. I was checking to see if any of our user went to any of those site. One of my queries looked like this.
source=Webgateway www.upanddown.ocry.com OR dothi.chinhsech.com OR good.weascapes.com OR khinhte.chinhsech.com OR hcm.vozforumsx.com OR image.biengioivn.com OR lat.conglyan.com OR login.chinhphuna.com OR login.haiduongpcg.com OR luan.conglyan.com
Which worked, i threw in a youtube.com and a walmart.com in there to check. A table would be cleaner though...

Re: web gateway filter activity to urls

manjunathmeti — Fri, 13 Mar 2020 17:36:56 GMT

You can create a csv file with all the 117 urls, upload it in search head and use that in your search. This will filter data with all the urls in csv file.

urls.csv

dhost
www.upanddown.ocry.com
www.upanddown.ocry.com
good.weascapes.com
khinhte.chinhsech.com
...

Search query:

source=Webgateway [ | inputlookup urls.csv]

Re: web gateway filter activity to urls

daveevad — Fri, 13 Mar 2020 18:21:32 GMT

cool! thanks!

Re: web gateway filter activity to urls

manjunathmeti — Fri, 13 Mar 2020 18:27:20 GMT

I converted my comment to answer. Please accepts it if it works for you.

Re: web gateway filter activity to urls

PavelP — Fri, 13 Mar 2020 22:58:17 GMT

such lists (example: https://urlhaus.abuse.ch/browse/) often contains full urls with http:// prefix. A url http://www.example.com/ from the csv file will not match https://www.example.com/foo?xx in your proxy log. It is better to extract the domain part (www.example.com or even example.com) before searching.