Splunk Search

Is there any thing similar to active list or reference set in Splunk

rishabhey2016
Explorer

Hi,

I want to push the internal IP address (or host name) in a reference set, whenever I see any communication with blacklisted IP address (by threat Intel). Further, I want to correlate the same internal IP/ Host name (which communicated with the blacklisted IP) with Antivirus logs to check if it got infected by some malware.

Please help on this.

Is it possible to make some dynamic lookup table?

0 Karma

sundareshr
Legend

Lookup is you answer. http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Lookup

You can generate/update the lookup .csv file and use subsearches for correlation.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You can use a lookup for this:

The lookup would contain blacklisted IPs, and a search would run against the lookup. Something like this.

index=firewalls  [|inputlookup blacklist.csv | fields ip | rename ip as dst | return 0 dst]

The above search would open blacklist.csv, retrieve only the column named ip, rename ip to dst, and return all ip/dst to the main search. It would end up with a final search looking like this:

index=firewall dst=10.0.0.1 OR dst=10.0.0.2 OR dst=10.0.0.3

Now you can take the results of this search to a summary index using the collect command, and finally you can use the summary index in searches to correlate Internal IPs which have communicated with Blacklisted IPs to Antivirus logs, etc.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...