How to compare IP blacklists

nebblkshts · ‎06-27-2019

I want to either compare natdst to a blacklist.
We do not have a subscription to any service that provides blacklist but I see some free list.
I am assuming since we do not pay for a service, I have to download a CSV and compare that way.

woodcock · ‎07-05-2019

There is an app for that called Getwatchlist Add-on for Splunk Enterprise:
https://splunkbase.splunk.com/app/635/

gcusello · ‎06-27-2019

Hi nebblkshts,
You have to load csv in a lookup (called e.g. ip_blacklist.csv) and then use a search like this:

index=my_index [ | inputlookup ip_blacklist.csv | fields source_ip ]
| stats count BY source_ip

put attention to the fieldname between logs and lookup: they must be the same, if they are different, in the subsearch you have to insert a rename.

Bye.
Giuseppe

gcusello · ‎06-27-2019

Hi nebblkshts,
if you're satisfied by this answer, please accept and/ot upvote it.
Bye, see at next time.
Giuseppe

nebblkshts · ‎06-27-2019

Thank you, that worked.

How to compare IP blacklists

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation

How to compare IP blacklists

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!