Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In threatlists can you have multiple values in url?

mcronkrite
Splunk Employee
Splunk Employee
‎02-22-2015 04:42 PM

Can you have multiple domain names on single url field? Or does every row have to have single domain name?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jervin_splunk
Splunk Employee
Splunk Employee
‎02-23-2015 06:47 AM

The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:

$ cat local_threatlist_domains.csv
description,domain
        
test,splunk.com|google.com
        

    ... wait for a while ...
        

$ grep splunk threatlist_by_domain_or_url.csv
    
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain

Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.

We'll coordinate to have the documentation corrected.

View solution in original post

Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎03-07-2015 12:01 PM

For URLs it would be good to split the url into parts. The URL can be main domain, but also has embedded cookie, referrer, etc. The threat list should be matching against all of its value within url field

0 Karma
Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎03-07-2015 12:01 PM

I've filed a case to request this feature.

0 Karma
Reply
Solved! Jump to solution
Solution

jervin_splunk
Splunk Employee
Splunk Employee
‎02-23-2015 06:47 AM

The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:

$ cat local_threatlist_domains.csv
description,domain
        
test,splunk.com|google.com
        

    ... wait for a while ...
        

$ grep splunk threatlist_by_domain_or_url.csv
    
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain

Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.

We'll coordinate to have the documentation corrected.

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎02-22-2015 06:11 PM

You can separate multivalues with a pipe as a delimter, per the documentation. However, the way ES hashes out the threatlists url values, it's probably most efficient to have multiple values broken out..

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...