Dashboards & Visualizations

How to create a report to point to a file filled with hashes

mmiller779
New Member

I have a few files with a ton of signatures indicating a malicious actor.
The files consist of MD5 hashes, file sizes, filenames, and SHA256 hashes.
I'd like to make a dashboard with reports checking for these indicators but there are hundreds of them and I don't want to hand jam.
Is there a way to point to the file and have Splunk parse the documents to check for indicators?

0 Karma

to4kawa
Ultra Champion

If your files are text, please provide samples.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Yes, probably, if I understand the question?

But on reading it four times now, I am convinced I do not understand the question.

You have a file of signatures. Fine.

You want to check for these indicators?

1) By file name? md5hash of files? filenames?
2) Where would you get whatever is it in step 1 that you want to compare with?

If you have the data for #2, then possibly it's as easy as just configuring a CSV lookup using that file as your source, and ... and searching for those?

This can be done in a variety of ways. For instance, you could use inputlookup as a "Feed" into a search:

index=windows sourcetype=filenames [|inputlookup mycsvfilesearch | fields filename ]

That would FIRST take a copy of the CSV you made, then trim it down to just a list of the filenames. That would then return via the subsearch back into the main search, so you main search would end up being like

index=windows sourcetype=filenames (filename=BILLY.EXE OR filename=RALPH.EXE ... )

Feels like | lookup would be better, and generally it is, but I'm still pretty sure I don't understand what it is you are after.

What we need to move this forward is a better description of the pieces involved. Samples of the data. Samples of the events you think you can tie them into. SPL you've tried so far...

Or, if this answers your question then ... great! Let me know and I'll convert this to an Answer and you can accept it. 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...