Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a report to point to a file filled with hashes

mmiller779
New Member
‎02-27-2020 11:54 AM

I have a few files with a ton of signatures indicating a malicious actor.
The files consist of MD5 hashes, file sizes, filenames, and SHA256 hashes.
I'd like to make a dashboard with reports checking for these indicators but there are hundreds of them and I don't want to hand jam.
Is there a way to point to the file and have Splunk parse the documents to check for indicators?

0 Karma
Reply

to4kawa
Ultra Champion
‎03-03-2020 01:25 PM

If your files are text, please provide samples.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-27-2020 07:22 PM

Yes, probably, if I understand the question?

But on reading it four times now, I am convinced I do not understand the question.

You have a file of signatures. Fine.

You want to check for these indicators?

1) By file name? md5hash of files? filenames?
2) Where would you get whatever is it in step 1 that you want to compare with?

If you have the data for #2, then possibly it's as easy as just configuring a CSV lookup using that file as your source, and ... and searching for those?

This can be done in a variety of ways. For instance, you could use inputlookup as a "Feed" into a search:

index=windows sourcetype=filenames [|inputlookup mycsvfilesearch | fields filename ]

That would FIRST take a copy of the CSV you made, then trim it down to just a list of the filenames. That would then return via the subsearch back into the main search, so you main search would end up being like 

index=windows sourcetype=filenames (filename=BILLY.EXE OR filename=RALPH.EXE ... )

Feels like | lookup would be better, and generally it is, but I'm still pretty sure I don't understand what it is you are after.

What we need to move this forward is a better description of the pieces involved. Samples of the data. Samples of the events you think you can tie them into. SPL you've tried so far...

Or, if this answers your question then ... great! Let me know and I'll convert this to an Answer and you can accept it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...