Splunk Enterprise Security

Check if new software detected exists/doesn't exist in Lookup

siddh01r
New Member

I am trying to find out when a new software get installed on any end point. and I also have a script running to collect installed software

I have created a lookup file called installed_software_workstations.csv - where i have recorded all the approved software.
I need help with something like -

check if software is not in lookup file( installed_software_workstations.csv). flag it as unapproved software or new software.

0 Karma
1 Solution

renjith_nair
Legend

@siddh01r,

Assuming that you have the list of softwares installed and software name is DisplayName. Your lookup table has product which points to software name.
Try

sourcetype = Script:InstalledApps" |stats count by DisplayName 
|lookup approved_software-workstations.csv product as DisplayName
|where isnull(is_approved)
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@siddh01r,

Assuming that you have the list of softwares installed and software name is DisplayName. Your lookup table has product which points to software name.
Try

sourcetype = Script:InstalledApps" |stats count by DisplayName 
|lookup approved_software-workstations.csv product as DisplayName
|where isnull(is_approved)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

siddh01r
New Member

This has worked for me mate!!! thank you so much!!!!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...