All Apps and Add-ons

isBad TRUE can someone explain this isBad key / value

jcorcoran508
Path Finder

I have been searching for a couple of hours for an explanation and what purpose this k/v isBad TRUE 

can you please elaborate on this question .

 

 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please explain the context.  What app produced this?  Where do you see this keyword/value pair?

---
If this reply helps you, Karma would be appreciated.
0 Karma

jcorcoran508
Path Finder

https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

index=main sourcetype=stream:*
| lookup sunburstDOMAIN_lookup Domain AS query
| search isBad=TRUE
| stats VALUES(query) AS "Sunburst" by src_ip

 

0 Karma

acharlieh
Influencer

In that blog post @rkovar_splunk mentions: 

I’ve also started throwing some lookup files into a GitHub repo, which you can explore independently

And sure enough in that repo you'll find sunburstDOMAIN_lookup.csv where every Domain in this lookup has a column isBad set to the string TRUE.

As it stands, with the isBad field on this lookup being all set to the same sentinel value, means the query is a simple indication that a particular sunburst related domain was found in your stream data. And such a use case could even be written without the isBad column, by outputting the field being looked up when it is found like so:

index=main sourcetype=stream:*
| lookup sunburstDOMAIN_lookup Domain AS query OUTPUT Domain AS SunburstDomain
| where isnotnull(SunburstDomain)
| stats VALUES(query) AS "Sunburst" by src_ip

 
Having an isBad field makes it a bit more straightforward of a query. 

But the isBad field can also help you enable some additional use cases... by enabling you to quantify Known OK entries separate from the  Known Bad and the Unknown entries that don't show up in the lookup. This would help you drive the slightly different use cases to hunt down and verify the unknown, while keeping the use case of remediating the known bad.... Sure it might not be your use case in this case, or ever, but knowledge is power.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...