Splunk Search

Match all possible matches to lookuplist

rtalcik
Path Finder

index=proxy domain=*
| rename domain as emotet_domain
| where
[| inputlookup test
| fields emotet_domain]
| stats values(emotet_domain) as emotetDomain

so inside the lookup list i want to be able to match for example a threat of -- reason.com OR www.reason.com

i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.

Labels (1)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain

View solution in original post

0 Karma

woodcock
Esteemed Legend

Assuming that your lookup has domain values like reason.com, all you need to do is this and then it should work:

inputlookup test
| eval emotet_domain = "*." . emotet_domain
| outputlookup test

Then use it like this:

index=proxy domain=*
| lookup test emotet_domain AS domain OUTPUT emotet_domain AS MATCHED
| where isnotnull(MATCHED)
0 Karma

rtalcik
Path Finder

Thanks this would def help in the future, unfortunately what was below will help even better.

0 Karma

to4kawa
Ultra Champion
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
0 Karma

rtalcik
Path Finder

So, what this is doing is it is searching all the events that happened and that it matches. I need to match the latest event so it only triggers an alert.

I also need to add more to it as well such as

index=proxy domain=* OR index=network* src_ip=* dest_ip=*
[| inputlookup test
| stats values(emotet_domain) as query, values(emotet_ip) as IP
|format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
| lookup test emotet_ip as dest_ip OUTPUT emotet_ip
| lookup test emotet_ip as src_ip OUTPUT emotet_ip

will this work??

0 Karma

to4kawa
Ultra Champion

I see what you want.
Let's ask another question.
at the time, please provide Csv sample and setting.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...