topic Re: How do I extract certain fields into a KV Store and then perform checks against that KV Store in Splunk Search

How do I extract certain fields into a KV Store and then perform checks against that KV Store

jhilton90 — Wed, 12 Jul 2023 13:46:52 GMT

So I'm ingesting advanced hunting logs into Splunk and one of the interesting fields is properties.InitiatingProcessSHA1, which is a hash of whatever file (properties.InitiatingProcessVersionInfoOriginalFileName) is being run on the end user's machine.

I want to be able to extract the SHA1 value and FileName value into a KV Store and then be able to make queries against that KV store.

For example, say there is a SHA1 hash for a file called text_program.exe, which has appeared in the logs:

SHA1: 111111111111

FileName: test_program.exe

I'd like to be able to extract the hash value as well as the file name into a KV Store, and make queries against the KV store. Because in the event that someone clicks on a phishing email and accidently downloads a program called text_program.exe and it has a hash value of 22222222222, I can investigate this.

I'm just wondering what the best way to tackle this would be

Re: How do I extract certain fields into a KV Store and then perform checks against that KV Store

richgalloway — Wed, 12 Jul 2023 20:27:45 GMT

After you've created the KV Store collection, it can be used like any other lookup. Use the outputlookup command to write to it and the lookup or inputlookup command to fetch from it.

Re: How do I extract certain fields into a KV Store and then perform checks against that KV Store

jhilton90 — Thu, 13 Jul 2023 08:22:43 GMT

Ideally I don't want to manually add field values to the kv store, I'd like the field values to be automatically added if they are not already in the KV Store.

Re: How do I extract certain fields into a KV Store and then perform checks against that KV Store

richgalloway — Thu, 13 Jul 2023 15:08:52 GMT

In that case, you may have to use a normal lookup table rather than a KVStore collection.