Hello Guys,
I am VERY new to Splunk and security. I actually started to work on a security project where we want to use Splunk to correlate access logs with a malware domain list (csv format) so that we will be able to detect unusual behavior of users.
For example, detect that a user tried to connect to a URL with a bad reputation several times (in a day, or in a period of time), or repetitive connection attempt in countries that we know we have any interest. etc.
I'm kindly asking for your help as right now, I'm a little bit lost.
Thank you very much to each one of you.
That's a loaded question. At the root of it, there are two things you need.
1) All accesslogs indexed in splunk
2) domainlist.csv setup as a lookup file.
Simple right, well not quiet. For matching values between indexed data and data in a lookup file, the field names and field values of matching field have to be identical. So, if you have a field in your indexed data called, request_uri, then the csv needs to have same name. Also, the domain names have to match as well. For example if your csv has `www.blacklistedsite.com and you indexed data in request_uri is subdomain.blacklistedsite.com. they will not match.
Having said that, do not fret it can be done :). There is a ton of really good information. You can start here.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Addfieldsfromexternaldatasources
Thank you very much sundareshr for your answer