Splunk Enterprise Security

May I have a help to configure wildcard usage in lookup table?

AlexeySh
Communicator

Hello,

I’d like to configure a wildcard usage for a lookup table, but unfortunately I’m not a Splunk guru and probably need a hand.

I have a lookup called "malware_domain_whitelist" with the URLs I’d like to whitelist for the standard Enterprise Security correlation search “Threat Activity Detected”. The lookup looks like this:

url      | whitelisted
url1.com | true
url2.org | true
url3.net | true
Etc.

I would like to use wildcard with ‘url’ column in order to add to the correlation search lines like:

| lookup malware_domain_whitelist url OUTPUT whitelisted
| search NOT whitelisted=”true”

I have two questions please:

First: if I understood correctly, I have to modify the transform.conf. But should I modify transform.conf on $SPLUNK_HOME/etc/system/default/ or should I create a copy on $SPLUNK_HOME/etc/system/local/?

Second: I’m not exactly sure about the modification I should write. Could you please correct the mistakes:

[malware_domain_whitelist]
Filename= malware_domain_whitelist.csv
match_type = WILDCARD(url)

Is there is something else I should do?

Thanks for the help!
Regards.

0 Karma
1 Solution

rlalwani_splunk
Splunk Employee
Splunk Employee

The lookup definition contains "Filename" which is invalid, it should be all in lower case.
You should modify the transforms.conf inside etc\apps\app_name, not of the system local or default.

View solution in original post

rlalwani_splunk
Splunk Employee
Splunk Employee

The lookup definition contains "Filename" which is invalid, it should be all in lower case.
You should modify the transforms.conf inside etc\apps\app_name, not of the system local or default.

AlexeySh
Communicator

Great!
Thanks for the help.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...