I have a list of executables uploaded as a lookup in Splunk and have proxy logs to compare against it.
I need to find out if any user is trying to download an executable in this list from the internet.
My index is bluecoat and lookup table is executable.
Someone please help.
It should find it anywhere in the _raw event. But needs to be an exact match.
If that fails, you will have to extract the name of the exe into a separate field using regex. If you share raw event, someone can help you with the regex. In that event, you will need to change the query to this
index=bluecoat | YOUR REGEX TO EXTRACT EXE NAME TO SOME FIELD | search [ | inputlookup ListOfExes.csv | table FieldWithExeNames] | rest of your query here