Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any thing similar to active list or reference set in Splunk

rishabhey2016
Explorer
‎07-06-2016 02:51 AM

Hi,

I want to push the internal IP address (or host name) in a reference set, whenever I see any communication with blacklisted IP address (by threat Intel). Further, I want to correlate the same internal IP/ Host name (which communicated with the blacklisted IP) with Antivirus logs to check if it got infected by some malware.

Please help on this.

Is it possible to make some dynamic lookup table?

0 Karma
Reply

sundareshr
Legend
‎07-06-2016 05:04 AM

Lookup is you answer. http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Lookup

You can generate/update the lookup .csv file and use subsearches for correlation.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-06-2016 05:03 AM

You can use a lookup for this:

The lookup would contain blacklisted IPs, and a search would run against the lookup. Something like this.

index=firewalls  [|inputlookup blacklist.csv | fields ip | rename ip as dst | return 0 dst]

The above search would open blacklist.csv, retrieve only the column named ip, rename ip to dst, and return all ip/dst to the main search. It would end up with a final search looking like this: 

index=firewall dst=10.0.0.1 OR dst=10.0.0.2 OR dst=10.0.0.3

Now you can take the results of this search to a summary index using the collect command, and finally you can use the summary index in searches to correlate Internal IPs which have communicated with Blacklisted IPs to Antivirus logs, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...