Splunk Enterprise Security

May I have a help to configure wildcard usage in lookup table?

AlexeySh
Communicator

Hello,

I’d like to configure a wildcard usage for a lookup table, but unfortunately I’m not a Splunk guru and probably need a hand.

I have a lookup called "malware_domain_whitelist" with the URLs I’d like to whitelist for the standard Enterprise Security correlation search “Threat Activity Detected”. The lookup looks like this:

url      | whitelisted
url1.com | true
url2.org | true
url3.net | true
Etc.

I would like to use wildcard with ‘url’ column in order to add to the correlation search lines like:

| lookup malware_domain_whitelist url OUTPUT whitelisted
| search NOT whitelisted=”true”

I have two questions please:

First: if I understood correctly, I have to modify the transform.conf. But should I modify transform.conf on $SPLUNK_HOME/etc/system/default/ or should I create a copy on $SPLUNK_HOME/etc/system/local/?

Second: I’m not exactly sure about the modification I should write. Could you please correct the mistakes:

[malware_domain_whitelist]
Filename= malware_domain_whitelist.csv
match_type = WILDCARD(url)

Is there is something else I should do?

Thanks for the help!
Regards.

0 Karma
1 Solution

rlalwani_splunk
Splunk Employee
Splunk Employee

The lookup definition contains "Filename" which is invalid, it should be all in lower case.
You should modify the transforms.conf inside etc\apps\app_name, not of the system local or default.

View solution in original post

rlalwani_splunk
Splunk Employee
Splunk Employee

The lookup definition contains "Filename" which is invalid, it should be all in lower case.
You should modify the transforms.conf inside etc\apps\app_name, not of the system local or default.

View solution in original post

AlexeySh
Communicator

Great!
Thanks for the help.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.