I created a list of known malicious domain names and put that information into a CSV. I named the field "dest_hostname", the same as what it shown in the firewall logs.
Ex:
Field name: dest_hostname
Field values: 2030049929xxxuuu.com, somewhere.ru, 019293fsvs.br, 120344fruexe.com etc.
I want to know if there is a way that you can search in Splunk for this information on the firewall to see if there is a match with one of these domain names from my CSV file.
Ex.
Oct 21 10:57:30 STSFW01.XYZ.com 1,2017/10/24 10:57:30,002201000314,THREAT,url,0,2017/10/24 10:57:30,10.8.0.56,23.21.144.160,0.0.0.0,0.0.0.0,Exempted_Applications,,,ssl,vsys1,trust-L2,untrusted-L2,ethernet1/22,ethernet1/21,Border_FWD,2017/10/24 10:57:30,34984390,1,51716,443,0,0,0xb000,tcp,alert,"**019293fsvs.br**",(9999),ssl-decryption-issues,informational,client-to-server,11081430324,0x0,10.0.0.0-10.255.255.255,US,0,,0,,,0,,,,,,,,0,17,0,0,0,
Splunk would generate an alert because 019293fsvs.br domain is in my CSV. Then table that information with the fields from the actually firewall log, so "time, src, dst, dest_port url, count" etc.
Thanks, I'm still new to lookups and Splunk in general.
↧