Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I correlate access logs with a malware domain list in CSV format?

papemalik
Explorer
‎06-30-2016 07:27 AM

Hello Guys,

I am VERY new to Splunk and security. I actually started to work on a security project where we want to use Splunk to correlate access logs with a malware domain list (csv format) so that we will be able to detect unusual behavior of users.

For example, detect that a user tried to connect to a URL with a bad reputation several times (in a day, or in a period of time), or repetitive connection attempt in countries that we know we have any interest. etc.

I'm kindly asking for your help as right now, I'm a little bit lost.

Thank you very much to each one of you.

0 Karma
Reply

sundareshr
Legend
‎06-30-2016 09:33 AM

That's a loaded question. At the root of it, there are two things you need.

1) All accesslogs indexed in splunk
2) domainlist.csv setup as a lookup file.

Simple right, well not quiet. For matching values between indexed data and data in a lookup file, the field names and field values of matching field have to be identical. So, if you have a field in your indexed data called, request_uri, then the csv needs to have same name. Also, the domain names have to match as well. For example if your csv has `www.blacklistedsite.com and you indexed data in request_uri is subdomain.blacklistedsite.com. they will not match.

Having said that, do not fret it can be done :). There is a ton of really good information. You can start here.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Addfieldsfromexternaldatasources

Reply

papemalik
Explorer
‎07-01-2016 01:41 AM

Thank you very much sundareshr for your answer

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...