Splunk Search

How can I correlate access logs with a malware domain list in CSV format?

papemalik
Explorer

Hello Guys,

I am VERY new to Splunk and security. I actually started to work on a security project where we want to use Splunk to correlate access logs with a malware domain list (csv format) so that we will be able to detect unusual behavior of users.

For example, detect that a user tried to connect to a URL with a bad reputation several times (in a day, or in a period of time), or repetitive connection attempt in countries that we know we have any interest. etc.

I'm kindly asking for your help as right now, I'm a little bit lost.

Thank you very much to each one of you.

0 Karma

sundareshr
Legend

That's a loaded question. At the root of it, there are two things you need.

1) All accesslogs indexed in splunk
2) domainlist.csv setup as a lookup file.

Simple right, well not quiet. For matching values between indexed data and data in a lookup file, the field names and field values of matching field have to be identical. So, if you have a field in your indexed data called, request_uri, then the csv needs to have same name. Also, the domain names have to match as well. For example if your csv has `www.blacklistedsite.com and you indexed data in request_uri is subdomain.blacklistedsite.com. they will not match.

Having said that, do not fret it can be done :). There is a ton of really good information. You can start here.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Addfieldsfromexternaldatasources

papemalik
Explorer

Thank you very much sundareshr for your answer

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...