Splunk Search

Multiple Searches with BRO LOGS - Trying to correlate certificate data.

baegoon
Explorer

In BRO 2.5.X there are about 3 or 4 log files that have SSL Certificate information: x509.log, ssl.log, conn.log and dns.log. In simplest process I think I need to either build a series of searches or use multisearch or join in SPL. Infact I would like for it all to be SPL. So not all fields are in all logs so I have to connect field A in log A with field A in log B create a new field B from log A&B and use that in log C to get fields D&E, then create dashboard or I can start off with a table. (Each log is a separate source type)
Some of the fields in BRO that are applicable is uid, fuid, CN, id_resp_h, txhost, rxhost.

Thus.

  1. Gather all certificate activity using the CN field and a dedup to get a list of certificates. (ssl.log)
  2. Take that list of CN and use that in x509.log to get all the certificate information (serial, expiry date, issuer, etc)
  3. Take CN field and certificate information and use it in the dns.log
  4. Convert some fields in to human readable format and create table with fields.

Can anyone give some guidance on this?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...