I have a list of executables uploaded as a lookup in Splunk and have proxy logs to compare against it.
I need to find out if any user is trying to download an executable in this list from the internet.
My index is bluecoat and lookup table is executable.
Someone please help.
My index is bluecoat, and it has url field which contains the executable somewhere in the payload. The lookup contains list of executable.
index=bluecoat [ | inputlookup ListOfExes.csv | table FieldWithExeNames | rename FieldWithExeNames AS search] | rest of your query here
Thanks, but will it work if the executable are present in somewhere in the URL? Will it compare the exact keyword from lookup table with url field?
It should find it anywhere in the _raw event. But needs to be an exact match.
If that fails, you will have to extract the name of the exe into a separate field using regex. If you share raw event, someone can help you with the regex. In that event, you will need to change the query to this
index=bluecoat | YOUR REGEX TO EXTRACT EXE NAME TO SOME FIELD | search [ | inputlookup ListOfExes.csv | table FieldWithExeNames] | rest of your query here