Splunk Enterprise Security

Is it possible to use a comparison / conditional functions with a lookup?

AlexeySh
Communicator

Hello,

I’d like to create an alert on ransomware detections. I have file events logs and their most important field is ‘file_name’. It looks like this:

File_name
File1.txt
File2.pdf
File3.xls
Etc.

At the same time I have a lookup called ‘ransomware_extensions’ with only one column ‘extension’ which contains ransomware extensions. It looks like this:

Extension
.wtf
.exx
.locked
Etc.

I’m trying to create a search which checks if ‘file_name’ value matches an ‘extension’ value. Something like that one:

*my basic search
| eval ransomware=if(like(file_name,"%[|lookup ransomware_extensions.csv extension output extension]%"), 1, 0)

Unfortunately it doesn’t work.

Do you have any ideas?

Regards,
Alexey.

0 Karma
1 Solution

FrankVl
Ultra Champion

Populate your ransomware extension lookup with *.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.

And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.

View solution in original post

FrankVl
Ultra Champion

Populate your ransomware extension lookup with *.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.

And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.

AlexeySh
Communicator

Probably the easiest way to solve the issue. Will try it.

Thanks for the advice!

0 Karma

diogofgm
SplunkTrust
SplunkTrust

You should check the ES content updates app (https://splunkbase.splunk.com/app/3449/). It has a story (with searches included) on ransomware.

But from what you have, you can try to extract the file extension from you file_name and then use a lookup with

extension, ransomware
exx, true

in your search use

|lookup ransomware_extensions.csv extension output extension ransomware

OR make it and automatic lookup.
this way you can search ransomware="true"

------------
Hope I was able to help you. If so, some karma would be appreciated.

AlexeySh
Communicator

Yep, this is a solution, didn't think about it.

Thanks for the answer !

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...