- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Match all possible matches to lookuplist
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy domain=*
| rename domain as emotet_domain
| where
[| inputlookup test
| fields emotet_domain]
| stats values(emotet_domain) as emotetDomain
so inside the lookup list i want to be able to match for example a threat of -- reason.com OR www.reason.com
i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your lookup has domain values like reason.com, all you need to do is this and then it should work:
inputlookup test
| eval emotet_domain = "*." . emotet_domain
| outputlookup test
Then use it like this:
index=proxy domain=*
| lookup test emotet_domain AS domain OUTPUT emotet_domain AS MATCHED
| where isnotnull(MATCHED)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this would def help in the future, unfortunately what was below will help even better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, what this is doing is it is searching all the events that happened and that it matches. I need to match the latest event so it only triggers an alert.
I also need to add more to it as well such as
index=proxy domain=* OR index=network* src_ip=* dest_ip=*
[| inputlookup test
| stats values(emotet_domain) as query, values(emotet_ip) as IP
|format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
| lookup test emotet_ip as dest_ip OUTPUT emotet_ip
| lookup test emotet_ip as src_ip OUTPUT emotet_ip
will this work??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see what you want.
Let's ask another question.
at the time, please provide Csv sample and setting.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
