Splunk Enterprise Security

Is it possible to use a comparison / conditional functions with a lookup?

AlexeySh
Communicator

Hello,

I’d like to create an alert on ransomware detections. I have file events logs and their most important field is ‘file_name’. It looks like this:

File_name
File1.txt
File2.pdf
File3.xls
Etc.

At the same time I have a lookup called ‘ransomware_extensions’ with only one column ‘extension’ which contains ransomware extensions. It looks like this:

Extension
.wtf
.exx
.locked
Etc.

I’m trying to create a search which checks if ‘file_name’ value matches an ‘extension’ value. Something like that one:

*my basic search
| eval ransomware=if(like(file_name,"%[|lookup ransomware_extensions.csv extension output extension]%"), 1, 0)

Unfortunately it doesn’t work.

Do you have any ideas?

Regards,
Alexey.

0 Karma
1 Solution

FrankVl
Ultra Champion

Populate your ransomware extension lookup with *.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.

And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.

View solution in original post

FrankVl
Ultra Champion

Populate your ransomware extension lookup with *.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.

And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.

AlexeySh
Communicator

Probably the easiest way to solve the issue. Will try it.

Thanks for the advice!

0 Karma

diogofgm
SplunkTrust
SplunkTrust

You should check the ES content updates app (https://splunkbase.splunk.com/app/3449/). It has a story (with searches included) on ransomware.

But from what you have, you can try to extract the file extension from you file_name and then use a lookup with

extension, ransomware
exx, true

in your search use

|lookup ransomware_extensions.csv extension output extension ransomware

OR make it and automatic lookup.
this way you can search ransomware="true"

------------
Hope I was able to help you. If so, some karma would be appreciated.

AlexeySh
Communicator

Yep, this is a solution, didn't think about it.

Thanks for the answer !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...