Splunk Search

How can I correlate access logs with a malware domain list in CSV format?

Explorer

Hello Guys,

I am VERY new to Splunk and security. I actually started to work on a security project where we want to use Splunk to correlate access logs with a malware domain list (csv format) so that we will be able to detect unusual behavior of users.

For example, detect that a user tried to connect to a URL with a bad reputation several times (in a day, or in a period of time), or repetitive connection attempt in countries that we know we have any interest. etc.

I'm kindly asking for your help as right now, I'm a little bit lost.

Thank you very much to each one of you.

0 Karma

Legend

That's a loaded question. At the root of it, there are two things you need.

1) All accesslogs indexed in splunk
2) domainlist.csv setup as a lookup file.

Simple right, well not quiet. For matching values between indexed data and data in a lookup file, the field names and field values of matching field have to be identical. So, if you have a field in your indexed data called, request_uri, then the csv needs to have same name. Also, the domain names have to match as well. For example if your csv has `www.blacklistedsite.com and you indexed data in request_uri is subdomain.blacklistedsite.com. they will not match.

Having said that, do not fret it can be done :). There is a ton of really good information. You can start here.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Addfieldsfromexternaldatasources

Explorer

Thank you very much sundareshr for your answer

0 Karma