Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching for Hash Values on the Network

itsmevic
Communicator
‎06-10-2020 02:01 PM

Hello All! 

    I have a .csv file that contains a list of about 100 or so hash values that I'd like to create an alert on so that I'll know if they appear on the network.  I have an inputlookup that I created called "hashes.csv" that contains the values I'd like to monitor.  Does anyone have SPL that I would need in order to do this?  Your help is very much appreciated!  Thanks.  

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-15-2020 08:58 AM

All you'd really need to do is something similar to

|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetype

you could also do something like

index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>

there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch. 

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-15-2020 08:58 AM

All you'd really need to do is something similar to

|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetype

you could also do something like

index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>

there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch. 

Reply
Solved! Jump to solution

marceloalejandr
Path Finder
‎12-15-2020 06:57 AM

You mentioned "interesting index".   Where and what are the "interesting index" and/or sourcetypes that contain hash values of executable files on Windows?  

What app was used or was Splunk used to scan for specific .dll files or executables at the operating system to generate the file hash value in order to compare it with a "blacklist or whitelist"?

Also does Splunk provide an Add-on or App already that handles file hash value generation or planning to in the near future, for both Windows and Unix-like OSs?   This is an important step for comparing OS files and keeping systems secure.  

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...