Splunk Search

IOC Inputlookup

zayedaljaberi
Engager

Hi ,

my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.

Domain_IOC.csv list includes two columns
Domain and ioc_note (example picture attached of lookup table)alt text

I want the output to be if there was matches with domain is to include the ioc_note column as well.

Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)

index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain]
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| stats values(Domain) as IOC by Date,host,Account,IP,Action

For your kind support.

Tags (1)
0 Karma

to4kawa
Ultra Champion
 index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain]
 | stats count by _time, Domain, Action, Category
 | inputlookup append=t Domain_IOC.csv
 | eval Domain=trim(Domain,".")
 | eval Domain=trim(Domain,"*")
 | sefljoin Domain
 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
 | fields - _time

Hi folks
Domain in search has extra .(dot) and Domain in lookup has extra *(astarisk).
These can't match by lookup.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try below seaarch

index=dns sourcetype="dnslog"
| stats values(Domain) as Domain by _time,host,Account,IP,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma

zayedaljaberi
Engager

Hi Hars,

unfortunately it didn't work, no events showed.

Would you please advice?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you run below query, are you getting any result ?

index=dns sourcetype="dnslog"
 | stats values(Domain) as Domain by _time,host,Account,IP,Action
0 Karma

zayedaljaberi
Engager

Hi,

No results based on your query

to verify that i'm receiving the events in the screenshot below
alt text

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Try below query

index=dns sourcetype="dnslog"
| stats count by _time,Domain,host,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...