Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

IOC Inputlookup

zayedaljaberi
Engager
‎05-01-2020 04:04 AM

Hi ,

my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.

Domain_IOC.csv list includes two columns
Domain and ioc_note (example picture attached of lookup table)alt text

I want the output to be if there was matches with domain is to include the ioc_note column as well.

Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)

index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain]
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| stats values(Domain) as IOC by Date,host,Account,IP,Action

For your kind support.

Tags (1)
Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-05-2020 09:10 AM 
 index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain]
 | stats count by _time, Domain, Action, Category
 | inputlookup append=t Domain_IOC.csv
 | eval Domain=trim(Domain,".")
 | eval Domain=trim(Domain,"*")
 | sefljoin Domain
 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
 | fields - _time

Hi folks
Domain in search has extra .(dot) and Domain in lookup has extra *(astarisk).
These can't match by lookup.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-05-2020 09:46 AM

Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-01-2020 05:05 AM

Hi,

Please try below seaarch

index=dns sourcetype="dnslog"
| stats values(Domain) as Domain by _time,host,Account,IP,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Reply

zayedaljaberi
Engager
‎05-01-2020 09:42 AM

Hi Hars,

unfortunately it didn't work, no events showed.

Would you please advice?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-04-2020 01:32 AM

If you run below query, are you getting any result ?

index=dns sourcetype="dnslog"
 | stats values(Domain) as Domain by _time,host,Account,IP,Action
0 Karma
Reply

zayedaljaberi
Engager
‎05-05-2020 06:24 AM

Hi,

No results based on your query

to verify that i'm receiving the events in the screenshot below
alt text

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-05-2020 07:05 AM

Try below query

index=dns sourcetype="dnslog"
| stats count by _time,Domain,host,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...