Splunk Enterprise Security

Is it possible to use a comparison / conditional functions with a lookup?

AlexeySh
Communicator

Hello,

I’d like to create an alert on ransomware detections. I have file events logs and their most important field is ‘file_name’. It looks like this:

File_name
File1.txt
File2.pdf
File3.xls
Etc.

At the same time I have a lookup called ‘ransomware_extensions’ with only one column ‘extension’ which contains ransomware extensions. It looks like this:

Extension
.wtf
.exx
.locked
Etc.

I’m trying to create a search which checks if ‘file_name’ value matches an ‘extension’ value. Something like that one:

*my basic search
| eval ransomware=if(like(file_name,"%[|lookup ransomware_extensions.csv extension output extension]%"), 1, 0)

Unfortunately it doesn’t work.

Do you have any ideas?

Regards,
Alexey.

0 Karma
1 Solution

FrankVl
Ultra Champion

Populate your ransomware extension lookup with *.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.

And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.

View solution in original post

FrankVl
Ultra Champion

Populate your ransomware extension lookup with *.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.

And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.

AlexeySh
Communicator

Probably the easiest way to solve the issue. Will try it.

Thanks for the advice!

0 Karma

diogofgm
SplunkTrust
SplunkTrust

You should check the ES content updates app (https://splunkbase.splunk.com/app/3449/). It has a story (with searches included) on ransomware.

But from what you have, you can try to extract the file extension from you file_name and then use a lookup with

extension, ransomware
exx, true

in your search use

|lookup ransomware_extensions.csv extension output extension ransomware

OR make it and automatic lookup.
this way you can search ransomware="true"

------------
Hope I was able to help you. If so, some karma would be appreciated.

AlexeySh
Communicator

Yep, this is a solution, didn't think about it.

Thanks for the answer !

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...