Splunk Enterprise Security

How to edit my data model search to reference a lookup table?

hmrabet
New Member

Hi All,

I am working on developing a search in Splunk Enterprise Security that will reference a lookup table named "Blacklist.csv" which contains a list of blacklisted IP's under a field called "IP_Blacklist".

I have so far written a search to reference more than one data model. The issue is im not getting any matches against the Blacklisted IP list. There is at least one match that should be brought up.

My current search:

| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | lookup Blacklist.csv IP_Blacklist
0 Karma

somesoni2
Revered Legend

The lookup command is used to add fields from lookup based on a field. So if you're looking to look at raw events from those data model results for the IP addresses from lookup, I would try like this

| multisearch [| datamodel "Network_Traffic" "All_Traffic" search] [|datamodel "Authentication" "Authentication" search] [|datamodel "Web" "Web" search] | search [| inputlookup Blacklist.csv | table  IP_Blacklist | rename IP_Blacklist as search | format ]

The second subsearch should add a giant OR condition with values of IP_Blacklist field, e.g. ((xx.xx.xx.xx) OR (xx.xx.xx.xx) OR...)

0 Karma

hmrabet
New Member

Thanks that sub search was what i was looking for.

0 Karma

hmrabet2
Observer

If a match was found based on the "IP_Blacklist" field how would I output another field named "comments" field from the same lookup file as a OUTPUT.

I have tried adding the following to the end of the search:

| lookup Blacklist.csv IP_Blacklist OUTPUT comments | table IP_Blacklist, comments

It matches the number of triggered events but the table of results are empty.

0 Karma

somesoni2
Revered Legend

Do all the datamodel search result contains the field IP_Blacklist? Also, here what you're doing is lookup for data enrichment (adding fields from your lookup table to search results wherever there is a match) and not filter. I hope that is what you intend to do.

0 Karma

hmrabet2
Observer

The data models don't contain a field named "IP_Blacklist". What I am trying to accomplish is to reference the "IP_Blacklist" field from my lookup file in the search and match this against any IP addresses in the Splunk platform to give me a list of bad IP's.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...