IP Watchlist Lookup

nlisle · ‎11-08-2019

Hello,

I currently have a search against our firewalls, below is the current search.

index=(my index) sourcetype="my_source" ipsrcip!=(ip)

I have a lookup file called 'threatip' that contains a list of source IP's in the first column named 'ip'. I would like to create a search that presents events from the initial search where the source IP from the lookup matches the source IP in the firewall logs.

Firewall log fields -

Source IP - 'srcip'

Lookup Table Fields -

Source IP - 'ip'

It seems so simple yet I am having some issues with it, advice would be much appreciated.

Thank you,
Nick.

jbillings · ‎02-11-2020

Try this
index=(my index) sourcetype="my_source" |search [|inputlookup threatip.csv | fields ip |rename ip as srcip]

woodcock · ‎11-08-2019

Like this:

index="myIndex" AND sourcetype="my_source" AND ipsrcip!=(ip) AND [|inputlookup MyLookupFile.csv | rename ip as srcip | table srcip]

OR

index="myIndex" AND sourcetype="my_source" AND ipsrcip!=(ip)
| lookup MyLookupFile.csv ip AS srcip OUTPUT ip AS MATCHED
| where isnotnull(MATCHED)

gcusello · ‎11-08-2019

Hi nlisle,
please try something like this:

index=my index sourcetype="my_source" [ | inputlookup threatip | rename ip AS srcip | fields srcip ]
| ...

Ciao.
Giuseppe

nlisle · ‎11-08-2019

Hi Giuseppe, I have tried this search however I receive no results. I can confirm that I have already added some data into the lookup, IP's that have hit the firewall in the past 30 days. I am also running my search over the last 30 days. Thanks.

IP Watchlist Lookup

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector