Splunk Enterprise Security

search IOC

theyukora
Engager

Hello,

i use lookup to find IOC in log.

  • in my lookup IOC.csv in FQDN column i have : lost.com and www.lost.com
  • my log is : "srcip=9.9.9.9 dstip=8.8.8.8 query=www.lost.com"
  • "index=test | lookup IOS.csv FQDN as query OUTPUT FQDN | search FQDN=* "

the problem is that only IOC www.lost.com will come out and not lost.com

I did find a solution with a request based on inputlookup but this is too greedy in resource

do you have a proposal for me? thank you

Labels (1)
0 Karma

theyukora
Engager

thank you very much for this introduction to the notion of rexgex which I did not know in SPLUNK.

now I complicate it a bit:

in my IOC.csv in FQDN column i have:

  • 873.lost.com
  • lost.com
  • always.lost.com
  • 31.always.lost.com

and i have two logs:

  • "srcip=9.9.9.9 dstip=8.8.8.8 query=www.123654873.lost.com"
  • "srcip=9.9.9.9 dstip=8.8.8.8 query=87431.always.lost.com"

the one solution would be to be able to put a "*" in front of the FQND when it is compared.
If I put "*" in front of each FNDN in my IOC.csv it is considered as a character.

sorry for the headaches 😉

0 Karma

alonsocaio
Contributor

Well, since you need to match the FQDN, I guess that using the regex proposed by @to4kawa would help you better.

But just to confirm, you need "87431.always.lost.com" to match just "always.lost.com" on your IOC list? Or do you need it to also match "lost.com"?

0 Karma

theyukora
Engager

the hoped result is that for the LOG:

I must have iOC : lost.com , 873.lost.com

ans for the log:

  • "srcip=9.9.9.9 dstip=8.8.8.8 query=87431.always.lost.com"

I must have IOC : lost.com, always.lost.com, 31.always.lost.com

0 Karma

theyukora
Engager

thank you i try

0 Karma

alonsocaio
Contributor

Hi,

Maybe you could try to first extract the domain from your query field, and then search your IOC csv file.

index=answers 
| rex field=query "\.(?<domain>\w+\.\w+?)(?:$|\/)" 
| eval query = mvappend(query, domain) 
| lookup ioc FQDN as query OUTPUT FQDN 
| search FQDN=* 
| table srcip, dstip, query, FQDN

The search above had returned a table like this:

alt text

Also, if you are using Splunk Enterprise Security, I recommend you to take a look on the Threat Activity Detected correlation search and on the Splunk threat feeds feature.

to4kawa
Ultra Champion

| rex field=query "\.(?<domain>\w+\.\w+?)(?:$|\/)" can't handle about www.bbc.co.uk ,www.cctv.com.cn

| rex field=query "[\w-]+\.(?<domain>[^\/:]+)" is better.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...