Splunk Search

IOC Inputlookup

zayedaljaberi
Engager

Hi ,

my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.

Domain_IOC.csv list includes two columns
Domain and ioc_note (example picture attached of lookup table)alt text

I want the output to be if there was matches with domain is to include the ioc_note column as well.

Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)

index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain]
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| stats values(Domain) as IOC by Date,host,Account,IP,Action

For your kind support.

Tags (1)
0 Karma

to4kawa
Ultra Champion
 index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain]
 | stats count by _time, Domain, Action, Category
 | inputlookup append=t Domain_IOC.csv
 | eval Domain=trim(Domain,".")
 | eval Domain=trim(Domain,"*")
 | sefljoin Domain
 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
 | fields - _time

Hi folks
Domain in search has extra .(dot) and Domain in lookup has extra *(astarisk).
These can't match by lookup.

0 Karma

harsmarvania57
Ultra Champion

Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html

0 Karma

harsmarvania57
Ultra Champion

Hi,

Please try below seaarch

index=dns sourcetype="dnslog"
| stats values(Domain) as Domain by _time,host,Account,IP,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma

zayedaljaberi
Engager

Hi Hars,

unfortunately it didn't work, no events showed.

Would you please advice?

0 Karma

harsmarvania57
Ultra Champion

If you run below query, are you getting any result ?

index=dns sourcetype="dnslog"
 | stats values(Domain) as Domain by _time,host,Account,IP,Action
0 Karma

zayedaljaberi
Engager

Hi,

No results based on your query

to verify that i'm receiving the events in the screenshot below
alt text

0 Karma

harsmarvania57
Ultra Champion

Try below query

index=dns sourcetype="dnslog"
| stats count by _time,Domain,host,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...