Splunk Search
Highlighted

Is there any thing similar to active list or reference set in Splunk

Explorer

Hi,

I want to push the internal IP address (or host name) in a reference set, whenever I see any communication with blacklisted IP address (by threat Intel). Further, I want to correlate the same internal IP/ Host name (which communicated with the blacklisted IP) with Antivirus logs to check if it got infected by some malware.

Please help on this.

Is it possible to make some dynamic lookup table?

0 Karma
Highlighted

Re: Is there any thing similar to active list or reference set in Splunk

SplunkTrust
SplunkTrust

You can use a lookup for this:

The lookup would contain blacklisted IPs, and a search would run against the lookup. Something like this.

index=firewalls  [|inputlookup blacklist.csv | fields ip | rename ip as dst | return 0 dst]

The above search would open blacklist.csv, retrieve only the column named ip, rename ip to dst, and return all ip/dst to the main search. It would end up with a final search looking like this:

index=firewall dst=10.0.0.1 OR dst=10.0.0.2 OR dst=10.0.0.3

Now you can take the results of this search to a summary index using the collect command, and finally you can use the summary index in searches to correlate Internal IPs which have communicated with Blacklisted IPs to Antivirus logs, etc.

0 Karma
Highlighted

Re: Is there any thing similar to active list or reference set in Splunk

Legend

Lookup is you answer. http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Lookup

You can generate/update the lookup .csv file and use subsearches for correlation.

0 Karma