I have a few files with a ton of signatures indicating a malicious actor.
The files consist of MD5 hashes, file sizes, filenames, and SHA256 hashes.
I'd like to make a dashboard with reports checking for these indicators but there are hundreds of them and I don't want to hand jam.
Is there a way to point to the file and have Splunk parse the documents to check for indicators?
Yes, probably, if I understand the question?
But on reading it four times now, I am convinced I do not understand the question.
You have a file of signatures. Fine.
You want to check for these indicators?
1) By file name? md5hash of files? filenames?
2) Where would you get whatever is it in step 1 that you want to compare with?
If you have the data for #2, then possibly it's as easy as just configuring a CSV lookup using that file as your source, and ... and searching for those?
This can be done in a variety of ways. For instance, you could use inputlookup as a "Feed" into a search:
index=windows sourcetype=filenames [|inputlookup mycsvfilesearch | fields filename ]
That would FIRST take a copy of the CSV you made, then trim it down to just a list of the filenames. That would then return via the subsearch back into the main search, so you main search would end up being like
index=windows sourcetype=filenames (filename=BILLY.EXE OR filename=RALPH.EXE ... )
| lookup would be better, and generally it is, but I'm still pretty sure I don't understand what it is you are after.
What we need to move this forward is a better description of the pieces involved. Samples of the data. Samples of the events you think you can tie them into. SPL you've tried so far...
Or, if this answers your question then ... great! Let me know and I'll convert this to an Answer and you can accept it. 🙂