All Apps and Add-ons

Getwatchlist Add-on for Splunk Enterprise: common lookup format and https proxy

dominiquevocat
SplunkTrust
SplunkTrust

Is there some kind of definition of what info gets to be placed in what field? Some sources deliver CIDR, some deliver IP, some deliver DNS domains etc. Is there a definition of what the lookup table should look like that gathers all sources and provides a systemwide lookup?
I would like to gather a global list of suspicions internet destinations and/or client IPs

Also, urllib has issues with https via proxy and I have good experiences with the requests library. Any chance the author will consider using that library?

0 Karma

dshpritz
SplunkTrust
SplunkTrust

There is no guidance on what the lookups should look like, getwatchlist is just a tool that you can use to grab a URL and make a lookup. How you map those for your use is really up to you. Some examples can be found in the config, or here:

Splunk Blogs
Stratum Security

Also, keep in mind that you can map fields using the "=", so for example, if the 4th column in the retrieved file is the name of the contributor, and you wanted it to be mapped to a field named "contributor" you can add "4=contributor" to the command to create that mapping.

As for the use of the requests library, that would be a possibility for the future, but I currently don't have any plans on when the next release would be.

Thanks,

Dave

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...