Web link accessed on Firewall


My Query is little different,
I need to find the access status of web links on firewall/proxy logs of the access status
I got all the malicious URL in Mimecast logs, need to compare the url's with the proxy logs.
not sure how to proceed, do I need to create a lookup, or It can be done via a search itself

sourcetype=mimecast_for_splunk URL=*

Tags (2)
0 Karma

Super Champion

Can you provide some sample events from both log sources? There are multiple ways to do it.
Suppose if you have the common field in both the log sources then you can do it by stats OR join command.

Using stats :

(sourcetype=mimecast_for_splunk URL=*) OR sourcetype="pan:threat" | stats values(your_fields) common_field

Give me more details of what do you want exactly?
Are you just looking for raw logs or you are looking for specific key-value?
If URL exists in both sources then make sure that URL field is extracted in both the sources.

let me know if this helps!

0 Karma


Actually the scenario is, whenever anyone gets any weblink in email, I want to check that that link is tried access or not.

I am getting the web link from teh first search mimecast_for_splunk URL=*
the result for this search could be anything, whatever we get from outside.
but want to compare this result with my web logs i.e. sourcetype="pan:threat" URL=*

now I need the URL that are matching in both the log sources.

hope this explains

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...