Skip to main content

Splunk - Adding a lookup



These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.
 
Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios.
Of course everything comes at a cost and Splunk is definitely not a cheap product.
 
I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Creating a lookup:
There are use cases in Splunk where sometimes static information is required to search but is not available in Index. For these kinds of cases we create static Lookup. Splunk supports static CSV or the output of a python script as a lookup.
I will sight an example of a static CSV, once you have created a lookup you may use it in searches depending upon your use cases.
We will start with an example of a list of some IP list that you know are static and let's say different services in your organization are behind these IPs and you would like to see the results in a dashboard based upon the lookup IPs.

In order to start, go to settings and there you will see Lookups menu as shown below:
Now we need to upload our CSV therefore we go to the Lookup table files
Add lookup table that we just created, in case of destination app you can select any app if you have already installed many apps and you would like only a particular app to have access to this lookup.
Name as described by Splunk itself, in case of CSV file we should use .csv as an extension.
Once you upload the file, you need to create lookup definitions. Give any name to the definition and since we are using a CSV file in order to create a lookup therefore choose File-Based. Select destination app where you would like to use these definitions.
Once you are done creating Lookup definitions you will notice that it will automatically tell you the supported fields as below:
If you would like extract the fields from your lookup, go to the search and use following command to see the lookup file: | inputlookup name of the lookup or lookup definition
Here we have used
Lookup table: AAAA.csv
Lookup definition : testing_AA
And the result will be similar as shown here:



Comments

Popular posts from this blog

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Securit

My experience with Bug Bounties

My experience with Bug Bounties I wanted to polish my pentest skills and bug bounties are certainly a way where you get to know already hardened real world applications. On the one hand you get to know some new state of art security systems like various kinds of WAF and you can continuously learn to penetrate them. On the other hand once you start digging  into  the application you get to know about the perspective of different mind set of the developers, how do they mitigate a problem that further gives you a better understanding of mitigating a single problem with different perspectives. Last but not least, you can make some extra perks. Following the same path, I started to check for Bug Bounties and I came across a platform called  Firebounty  which keeps you updated about the newest bug bounties in market out of many other such platform. After crawling through many potential services, I have found one that has raised interest in me called  www.algolia.com , who’s main bu

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services. To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: