I have a CSV (domains.csv) that contain the list of domains. I have uploaded into Splunk and get the result using [| inputlookup domains.csv]. Splunk is getting the data from email system for inbound/outbound emails.
I want to check against my domains list which are using email security protocols like TLS, SPF, DKIM and DMARC. How can I get that info?
index="pp_index" sourcetype="pp_messagelog" [| inputlookup domains.csv ]
Hi @nitinpa,
to filter a search using a lookup, you have to be sure that the field names are the same both in search and in lookup (fields are case sensitive), if not you have to rename one of them.
In few words, if in the pp_index the url is called "url" and in lookup is called domain, you have to run something like this:
index="pp_index" sourcetype="pp_messagelog" [| inputlookup domains.csv | rename domain AS url | fields url ]
| ...
if in addition, domain is a part of the url and not the full url, you have to extract the domain from the url using a regex.
If you share an example of logs and of domain .csv, I could be more precise.
Ciao.
Giuseppe
Hi Giuseppe,
Thank you for your help on this!
I got the list of domains from domains.csv. I want to search those domains against inbound emails which is stored in sourcetype = PP_messagelog. I want to match the sender domain field and check if they are using proper email security protocols or not by verifying TLS, SPF, DKIM DMARC etc.
There is a field called "connection.tls.inbound.version" so I can check from that CSV that this domain is using TLS v1.2 or 1.1 or 1
For example, If the list contains gmail.com. I will check gmail.com against search and using the above field, find out that whether gmail.com is using TLSv1.2 or not.
Hope this helps
Thanks,
Nitin
Hi @nitinpa,
I try to summarize:
Is this correct?
Only two questions:
In the meantime, you could run something like this:
index=your_index sourcetype=PP_messagelog
| rex field=email "[^@]*@(?<domain>.*)"
| dedup domain
| lookup my_domain_lookup domain OUTPUT connection.tls.inbound.version
| table domain connection.tls.inbound.version
to have the list of all domains with related TLS (when present).
At the end you can add a condition to filter domains based on TLS (e.g. to find only TLS=1.2):
| search connection.tls.inbound.version="1.2"
Ciao.
Giuseppe
Hi Giuseppe,
Thank you for your help on this!
That's correct! I want to enrich the result of the search with the information about TLS.
I want to highlight the condition TLS=1.2
There are two parts of it
I want to check the domains from the list (domains.csv) with the source (pp_messagelog) and check if it's using TLS 1.2 or not. If the domain is not from the list then simply ignore that domain.
Hope this helps!
Thanks,
Nitin
Hi @nitinpa,
you speak of source (pp_messagelog), but from your question it seems to be the sourcetype: which information have you in the lookup: source or sourcetype?
in other words, do you want to relate the main search and the lookup using the sourcetype, the domain or both?
If you want to use the sourcetype to check the TLS and not the domain, you have only to modify just a little bit my previous search:
index=your_index sourcetype=PP_messagelog
| rex field=email "[^@]*@(?<domain>.*)"
| dedup domain
| lookup my_domain_lookup sourcetype OUTPUT connection.tls.inbound.version
| table domain sourcetype connection.tls.inbound.version
| search connection.tls.inbound.version="1.2"
if you want to use the domain, use the old search.
Ciao.
Giuseppe
Hi Giuseppe,
Thank you for your help on this!
Thanks and Regards,
Nitin