Archive

How to whitelist combination of fields using lookup table?

utsav45
Explorer

Hello Experts,

We've got an alert which gets triggered if service is installed on the windows host.

index=winevents sourcetype="WinEventLog:System" EventCode=7045

We want to whitelist combination of service and host. For example if service A is installed on host A then it should be fine. Eventually, list of host-service would grow so we would like to use lookup table.

We have whitelisted single field (src in below example) by creating the lookup table and adding below line in the condition and it works perfectly alright.

| join type=left src [ | inputlookup whitelist.csv | search search_name=my search name exclusion_field=src | rename exclusion_value AS src | eval whitelisted="true"]

| where NOT whitelisted="true"

I tried adding multiple fields in above line but doesn't seem to be working.

What is the best way to address the requirement?

Thanks

Tags (1)
0 Karma
1 Solution

maciep
Champion

what does your whitelist.csv look like?

Typically, you would just use the lookup command (not inputlookup) to lookup fields from your events in the table then output something that would indicate it's whitelisted.

For example let's say your lookup has two fields: host, service. And maybe your events have fields call host_name and service_name. Then maybe something like this?

index=winevents sourcetype="WinEventLog:System" EventCode=7045
| lookup whitelist.csv host AS host_name, service AS service_name OUTPUT host AS found_host
| where isnull(found_host)

View solution in original post

maciep
Champion

what does your whitelist.csv look like?

Typically, you would just use the lookup command (not inputlookup) to lookup fields from your events in the table then output something that would indicate it's whitelisted.

For example let's say your lookup has two fields: host, service. And maybe your events have fields call host_name and service_name. Then maybe something like this?

index=winevents sourcetype="WinEventLog:System" EventCode=7045
| lookup whitelist.csv host AS host_name, service AS service_name OUTPUT host AS found_host
| where isnull(found_host)

View solution in original post

utsav45
Explorer

Hi Mate,

Thanks for your reply.

I tried to use lookup command instead of inputlookup and surprisingly it gives me an error "Error in 'lookup' command: Lookups: The lookup table 'utsavtest.csv' does not exist or is not available."

When I try to use the same lookup table using inputlookup command (the one I mentioned previously) then it doesn't provide the error.

I believe permissions should work the same for both the commands. Not sure

I've attached screenshots of lookup table, error while running splunk search and lookup table permissions on below one drive URL.

alt text

Thanks

0 Karma

maciep
Champion

interesting. I think you can do lookups against the csv directly, but maybe try creating a lookup definition to that csv to see if that works. Settings -> Lookups - > Lookup Definitions.

0 Karma

utsav45
Explorer

Thanks Mate,

I had to add lookup definitions for newly created lookup table. After which I was able to achieve the requirement using the query you suggested.

Thanks heaps!!

0 Karma

maciep
Champion

glad it's working!

0 Karma