Hello,
i use lookup to find IOC in log.
the problem is that only IOC www.lost.com will come out and not lost.com
I did find a solution with a request based on inputlookup but this is too greedy in resource
do you have a proposal for me? thank you
thank you very much for this introduction to the notion of rexgex which I did not know in SPLUNK.
now I complicate it a bit:
in my IOC.csv in FQDN column i have:
and i have two logs:
the one solution would be to be able to put a "*" in front of the FQND when it is compared.
If I put "*" in front of each FNDN in my IOC.csv it is considered as a character.
sorry for the headaches 😉
Well, since you need to match the FQDN, I guess that using the regex proposed by @to4kawa would help you better.
But just to confirm, you need "87431.always.lost.com" to match just "always.lost.com" on your IOC list? Or do you need it to also match "lost.com"?
the hoped result is that for the LOG:
I must have iOC : lost.com , 873.lost.com
ans for the log:
I must have IOC : lost.com, always.lost.com, 31.always.lost.com
thank you i try
Hi,
Maybe you could try to first extract the domain from your query field, and then search your IOC csv file.
index=answers
| rex field=query "\.(?<domain>\w+\.\w+?)(?:$|\/)"
| eval query = mvappend(query, domain)
| lookup ioc FQDN as query OUTPUT FQDN
| search FQDN=*
| table srcip, dstip, query, FQDN
The search above had returned a table like this:
Also, if you are using Splunk Enterprise Security, I recommend you to take a look on the Threat Activity Detected correlation search and on the Splunk threat feeds feature.
| rex field=query "\.(?<domain>\w+\.\w+?)(?:$|\/)"
can't handle about www.bbc.co.uk
,www.cctv.com.cn
| rex field=query "[\w-]+\.(?<domain>[^\/:]+)"
is better.