Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Searching for Hash Values on the Network
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All!
I have a .csv file that contains a list of about 100 or so hash values that I'd like to create an alert on so that I'll know if they appear on the network. I have an inputlookup that I created called "hashes.csv" that contains the values I'd like to monitor. Does anyone have SPL that I would need in order to do this? Your help is very much appreciated! Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All you'd really need to do is something similar to
|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetypeyou could also do something like
index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All you'd really need to do is something similar to
|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetypeyou could also do something like
index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mentioned "interesting index". Where and what are the "interesting index" and/or sourcetypes that contain hash values of executable files on Windows?
What app was used or was Splunk used to scan for specific .dll files or executables at the operating system to generate the file hash value in order to compare it with a "blacklist or whitelist"?
Also does Splunk provide an Add-on or App already that handles file hash value generation or planning to in the near future, for both Windows and Unix-like OSs? This is an important step for comparing OS files and keeping systems secure.
Thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
