Splunk Search

How to create a look up table with "*&" or "any" field?

Erfan
Explorer

Hi

I am trying to whitelist some traffic from my search. So I decided to create a look up table including src ip, dst ip, username, dst port, src zone.

for example:

src_ip dest_ip src_zone dest_port user whitelisted
* * center * * TRUE
172.16.20.44 13.58.90.11 * 443 Alice TRUE
* 128.221.236.246 * 443 * TRUE
192.168.12.03 * * * * TRUE
172.16.20.13 * * * * TRUE
192.168.26.4 * * * * TRUE
192.168.26.8 198.160.25.74 * 443 * TRUE
192.168.26.9 198.160.25.87 * * * TRUE
* 142.250.70.174 * * * TRUE
           

 

but the problem is the search matches when all cells related to fields which are called in lookup command have values, but it does not match (does not whitelist) if a cell has "*" or "Any"  value.

| lookup whitelisttest.csv src_ip as src_ip dest_ip as dest_ip dest_port as dest_port user as user
| where isnull(whitelisted)

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

You can add as many wildcard lookup fields as needed. This is the instruction from Splunk Web (GUI)

Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is <match_type>(<field_name>). Available values for match_type are WILDCARD and CIDR.

No need for CUI.

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Will match_type WILDCARD help?  See Create a CSV lookup definition.

0 Karma

Erfan
Explorer

Thanks for your response. 

I created a look up definition and in match type I entered:  WILDCARD(dest_ip)

I expected to see all result except traffic from 172.16.20.13:

172.16.20.13****TRUE

 

but it did not showed any records. I mean it remove all result not only whitelisted.

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to give more details about your data with illustration, including an explanation of key characteristics, and illustrate the desired results.

If every event contains these four fields, src_ip, dest_ip, dest_port, and user, your lookup

| lookup whitelisttest.csv src_ip dest_ip dest_port user ``` no need to use "as" annotator if the name is the same ```​

will always return whitelisted "TRUE".  This is because in addition to the row you just quoted, you also have this row

src_ipdest_ipsrc_zonedest_portuserwhitelisted
**center**TRUE

In other words, the whild card search is working exactly as you asked.

In fact, I suggested wildcard only because you entered "*" in the table.  Splunk's lookup also supports CIDR match.  This is probably more appropriate for IP address filtering.  Just food for thought.

0 Karma

Erfan
Explorer

Thank you Yuanliu

let me rephrase my question, maybe lookup is not a good solution for my problem.

Actually I want to whitelist following traffic on search of fortigate's logs:

Traffic from 172.16.20.12 to every where

traffic from 192.168.26.8 to 198.160.25.74

traffic from every where to 142.250.70.174

traffic from any to any related to a specific user (Alice)

 

All records include all fields.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Suitability is always defined by the data and requirements.  In the case you described, you can still use lookup to establish the desired whitelist.  For example, if you use match_type WILDCARD in every field, you can say

src_ipdest_ipsrc_zonedest_portuserwhitelisted
172.16.20.12*center**TRUE
192.168.26.8
198.160.25.74center**TRUE
*142.250.70.174center**TRUE
**center*AliceTRUE

and use the same search

| lookup whitelisttest.csv src_ip dest_ip dest_port user
| where isnull(whitelisted)

Now, if you want future ability to use CIDR for more granular control, set src_ip and dest_ip to use CIDR, and change lookup to

src_ipdest_ipsrc_zonedest_portuserwhitelisted
172.16.20.12/320.0.0.0/0center**TRUE
192.168.26.8/32
198.160.25.74/32center**TRUE
0.0.0.0/0142.250.70.174/32center**TRUE
0.0.0.0/00.0.0.0/0center*AliceTRUE

Hope this helps.

Erfan
Explorer

Thank you so much.

The only vague part for me is that how to create match type for wildcard on all fields in GUI version.

I think this works for CUI: 
field1,field2,field3,output_field,match_type

value1,value2,value3,output_value,*

 

But I do not have acccess to CUI and it is just GUI. So I defined WILDCARD(*) but did not work.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You can add as many wildcard lookup fields as needed. This is the instruction from Splunk Web (GUI)

Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is <match_type>(<field_name>). Available values for match_type are WILDCARD and CIDR.

No need for CUI.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...