Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

need help Top malware/suspicious site

Steave4app
New Member
‎02-14-2017 06:38 AM

Hi People,

I am using Bluecoat proxy at this time and I am trying to get the report based on Malicious/Suspicious. I am running below query.

sourcetype=bluecoat* categories("Malicious" OR "Phishing" OR "Suspicious") | fields add - status, - action, - host | stats count by host | sort – host

Raw log:

Feb 14 06:31:42 Feb 14 14:31:41 ProxySG: 3B0002 2017-02-14 14:31:41 1 src=x.x.x.x status=403 action=TCP_DENIED 803 379 method=GET protocol=http host=adgebra.co.in port=80 path=/Spike/spike.js http://tamil.oneindia.com/news/tamilnadu/da-case-who-is-a4-ilavarasi-274085.html useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 categories=Web Ads/Analytics;Suspicious 74.117.128.45(97306393) UNKNOWN_EVENT pe_policy_action_log_message.cpp 44

How would I add URL info, action and status info into statistic result as those are not showing into default filed?

Kind Regards,
Steave

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎02-14-2017 08:06 AM

You need to verify what fields have already been extracted. So, with your _raw event, look at the interesting fields and see what field (if any) the http://...html value has been loaded into.

If it has not been extracted into anything, then you will probably want to use a regex to load the URL data into a field that you can use the list aggregate command on.

Here's one link to a thread that deals with that. https://answers.splunk.com/answers/93003/regex-for-url-parsing.html

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2017 07:00 AM

Hi Steave4app,
to insert other fields in a stats command you can:

  • insert it after "by" clause using that field as key in stats,
  • before count, inserting values(URL) AS URL values(info) AS info values(action) AS action. The problem is that, if you have many values, your report could be unreadable.

In addition remember that this App uses Summary indexes, so you have to insert these fields in GROUPBY clause in tstats command.

Bye.
Giuseppe

0 Karma
Reply

Steave4app
New Member
‎02-14-2017 07:20 AM

Hi Cusello,

Happy to see you.

I have done that but it is not working. Interesting this is, they things are not describing as field.

status=403 action=TCP_DENIED 803 379 method=GET protocol=http host=adgebra.co.in port=80 path=/Spike/spike.js http://tamil.oneindia.com/news/tamilnadu/da-case-who-is-a4-ilavarasi-274085.html useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 categories=Web

So if they are not field, how would it work into stats count by query?

Kind Regards,
Steave

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2017 07:55 AM

strange: in the default bcoat_proxysg extraction there are "action" and "http_referrer" (URL), I don't know what is "info".
Are you using the default App's sourcetype?
I used it, but rebuilding all dashboards because the old ones were created in extended XML (deprecated by Splunk).
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...