i have 117 sites listed from homeland security. i need to check if any of our machine have visited them. We have McAfee web gateway logs funneled into splunk. What's the best way to go about looking for that activity?
You can create a csv file with all the 117 urls, upload it in search head and use that in your search. This will filter data with all the urls in csv file.
urls.csv
dhost
www.upanddown.ocry.com
www.upanddown.ocry.com
good.weascapes.com
khinhte.chinhsech.com
...
Search query:
source=Webgateway [ | inputlookup urls.csv]
such lists (example: https://urlhaus.abuse.ch/browse/) often contains full urls with http:// prefix. A url http://www.example.com/ from the csv file will not match https://www.example.com/foo?xx in your proxy log. It is better to extract the domain part (www.example.com or even example.com) before searching.
You can create a csv file with all the 117 urls, upload it in search head and use that in your search. This will filter data with all the urls in csv file.
urls.csv
dhost
www.upanddown.ocry.com
www.upanddown.ocry.com
good.weascapes.com
khinhte.chinhsech.com
...
Search query:
source=Webgateway [ | inputlookup urls.csv]
cool! thanks!
ok, maybe i was making this harder than it needs to be. I can do this for example...
source=Webgateway walmart.com
i get alot of hits, of course. Do i have to do this 117 times, one for each url/ftp site?
can i use "OR" statements between urls to search for several at one time?
Ah, answer is yes. How many can i string together?
apparently at least 10 sites. Was able to do searching without errors. Talked myself through this. I good now. Open to better ways though!
Thanks.
Are these website values part of a field in the data?
as in my example for a walmart.com search, it showed up as
dhost="beacon.walmart.com"
That what you mean?
yes, are other website names are part of this field?
Provide some sample for below query.
source=Webgateway | head 20 | table dhost
i had 117 various urls and ftp sites. I was checking to see if any of our user went to any of those site. One of my queries looked like this.
source=Webgateway www.upanddown.ocry.com OR dothi.chinhsech.com OR good.weascapes.com OR khinhte.chinhsech.com OR hcm.vozforumsx.com OR image.biengioivn.com OR lat.conglyan.com OR login.chinhphuna.com OR login.haiduongpcg.com OR luan.conglyan.com
Which worked, i threw in a youtube.com and a walmart.com in there to check. A table would be cleaner though...
I converted my comment to answer. Please accepts it if it works for you.