Re: How to compare IP blacklists

nebblkshts · ‎06-27-2019

I want to either compare natdst to a blacklist.
We do not have a subscription to any service that provides blacklist but I see some free list.
I am assuming since we do not pay for a service, I have to download a CSV and compare that way.

woodcock · ‎07-05-2019

There is an app for that called Getwatchlist Add-on for Splunk Enterprise:
https://splunkbase.splunk.com/app/635/

gcusello · ‎06-27-2019

Hi nebblkshts,
You have to load csv in a lookup (called e.g. ip_blacklist.csv) and then use a search like this:

index=my_index [ | inputlookup ip_blacklist.csv | fields source_ip ]
| stats count BY source_ip

put attention to the fieldname between logs and lookup: they must be the same, if they are different, in the subsearch you have to insert a rename.

Bye.
Giuseppe

gcusello · ‎06-27-2019

Hi nebblkshts,
if you're satisfied by this answer, please accept and/ot upvote it.
Bye, see at next time.
Giuseppe

nebblkshts · ‎06-27-2019

Thank you, that worked.

How to compare IP blacklists

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How to compare IP blacklists

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey