Splunk Search

How can I correlate access logs with a malware domain list in CSV format?

papemalik
Explorer

Hello Guys,

I am VERY new to Splunk and security. I actually started to work on a security project where we want to use Splunk to correlate access logs with a malware domain list (csv format) so that we will be able to detect unusual behavior of users.

For example, detect that a user tried to connect to a URL with a bad reputation several times (in a day, or in a period of time), or repetitive connection attempt in countries that we know we have any interest. etc.

I'm kindly asking for your help as right now, I'm a little bit lost.

Thank you very much to each one of you.

0 Karma

sundareshr
Legend

That's a loaded question. At the root of it, there are two things you need.

1) All accesslogs indexed in splunk
2) domainlist.csv setup as a lookup file.

Simple right, well not quiet. For matching values between indexed data and data in a lookup file, the field names and field values of matching field have to be identical. So, if you have a field in your indexed data called, request_uri, then the csv needs to have same name. Also, the domain names have to match as well. For example if your csv has `www.blacklistedsite.com and you indexed data in request_uri is subdomain.blacklistedsite.com. they will not match.

Having said that, do not fret it can be done :). There is a ton of really good information. You can start here.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Addfieldsfromexternaldatasources

papemalik
Explorer

Thank you very much sundareshr for your answer

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...