Splunk Search

Searching for Hash Values on the Network

itsmevic
Communicator

Hello All! 

    I have a .csv file that contains a list of about 100 or so hash values that I'd like to create an alert on so that I'll know if they appear on the network.  I have an inputlookup that I created called "hashes.csv" that contains the values I'd like to monitor.  Does anyone have SPL that I would need in order to do this?  Your help is very much appreciated!  Thanks.  

Labels (1)
1 Solution

cmerriman
Super Champion

All you'd really need to do is something similar to

|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetype

you could also do something like

index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>

there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch. 

View solution in original post

cmerriman
Super Champion

All you'd really need to do is something similar to

|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetype

you could also do something like

index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>

there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch. 

marceloalejandr
Path Finder

You mentioned "interesting index".   Where and what are the "interesting index" and/or sourcetypes that contain hash values of executable files on Windows?  

What app was used or was Splunk used to scan for specific .dll files or executables at the operating system to generate the file hash value in order to compare it with a "blacklist or whitelist"?

Also does Splunk provide an Add-on or App already that handles file hash value generation or planning to in the near future, for both Windows and Unix-like OSs?   This is an important step for comparing OS files and keeping systems secure.  

Thanks.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...