Splunk Search

Match all possible matches to lookuplist

rtalcik
Path Finder

index=proxy domain=*
| rename domain as emotet_domain
| where
[| inputlookup test
| fields emotet_domain]
| stats values(emotet_domain) as emotetDomain

so inside the lookup list i want to be able to match for example a threat of -- reason.com OR www.reason.com

i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.

Labels (1)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain

View solution in original post

0 Karma

woodcock
Esteemed Legend

Assuming that your lookup has domain values like reason.com, all you need to do is this and then it should work:

inputlookup test
| eval emotet_domain = "*." . emotet_domain
| outputlookup test

Then use it like this:

index=proxy domain=*
| lookup test emotet_domain AS domain OUTPUT emotet_domain AS MATCHED
| where isnotnull(MATCHED)
0 Karma

rtalcik
Path Finder

Thanks this would def help in the future, unfortunately what was below will help even better.

0 Karma

to4kawa
Ultra Champion
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
0 Karma

rtalcik
Path Finder

So, what this is doing is it is searching all the events that happened and that it matches. I need to match the latest event so it only triggers an alert.

I also need to add more to it as well such as

index=proxy domain=* OR index=network* src_ip=* dest_ip=*
[| inputlookup test
| stats values(emotet_domain) as query, values(emotet_ip) as IP
|format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
| lookup test emotet_ip as dest_ip OUTPUT emotet_ip
| lookup test emotet_ip as src_ip OUTPUT emotet_ip

will this work??

0 Karma

to4kawa
Ultra Champion

I see what you want.
Let's ask another question.
at the time, please provide Csv sample and setting.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...