Splunk Enterprise Security

Check for users clicking on a totally new url in last 24 hrs

abhik1501
New Member

I need to search for users who clicked on totally new urls seen in last 24 hrs. If user has clicked on a link which was already previously seen i do not need those events.
Any inputs will be really helpful

0 Karma

woodcock
Esteemed Legend

You need to maintain a lookup file with something like ... | stats min(_time) AS _time BY url | outputlookup firstTimeURLs.csv and then xref with ... | lookup firstTimeURLs.csv url OUPUT url AS seen | where isnull(seen) against your data.

0 Karma

to4kawa
Ultra Champion

the csv of daily access list for each user.

Is the proxy log in Splunk?

0 Karma

abhik1501
New Member

Yes proxy log is in Splunk. There cannot be a specific daily access list for each user because numbers of users are high and no restriction on the number of url accessed

0 Karma

to4kawa
Ultra Champion
index=your_index sourcetype=proxy 
| rex field=url "https?:\/\/(?<domain>[^\/]+)"
| stats values(eval(if(status=200,domain,NULL))) as domain
| mvexpand domain
| eval flag="access"
| outputcsv domain.csv

First, create access domain csv, and

index=your_index sourcetype=proxy 
| rex field=url "https?:\/\/(?<domain>[^\/]+)"
| inputlookup append=t domain.csv
| where flag!="access"
| stats values(domain) as domain by user

Second, check new access domian by user.

It seems impossible to create a list of access domains for each user.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...