Re: Is there any thing similar to active list or r...

rishabhey2016 · ‎07-06-2016

Hi,

I want to push the internal IP address (or host name) in a reference set, whenever I see any communication with blacklisted IP address (by threat Intel). Further, I want to correlate the same internal IP/ Host name (which communicated with the blacklisted IP) with Antivirus logs to check if it got infected by some malware.

Please help on this.

Is it possible to make some dynamic lookup table?

sundareshr · ‎07-06-2016

Lookup is you answer. http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Lookup

You can generate/update the lookup .csv file and use subsearches for correlation.

jkat54 · ‎07-06-2016

You can use a lookup for this:

The lookup would contain blacklisted IPs, and a search would run against the lookup. Something like this.

index=firewalls  [|inputlookup blacklist.csv | fields ip | rename ip as dst | return 0 dst]

The above search would open blacklist.csv, retrieve only the column named ip, rename ip to dst, and return all ip/dst to the main search. It would end up with a final search looking like this:

index=firewall dst=10.0.0.1 OR dst=10.0.0.2 OR dst=10.0.0.3

Now you can take the results of this search to a summary index using the collect command, and finally you can use the summary index in searches to correlate Internal IPs which have communicated with Blacklisted IPs to Antivirus logs, etc.

Is there any thing similar to active list or reference set in Splunk

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms