Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In threatlists can you have multiple values in url?

mcronkrite
Splunk Employee
Splunk Employee
‎02-22-2015 04:42 PM

Can you have multiple domain names on single url field? Or does every row have to have single domain name?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jervin_splunk
Splunk Employee
Splunk Employee
‎02-23-2015 06:47 AM

The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:

$ cat local_threatlist_domains.csv
description,domain
        
test,splunk.com|google.com
        

    ... wait for a while ...
        

$ grep splunk threatlist_by_domain_or_url.csv
    
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain

Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.

We'll coordinate to have the documentation corrected.

View solution in original post

Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎03-07-2015 12:01 PM

For URLs it would be good to split the url into parts. The URL can be main domain, but also has embedded cookie, referrer, etc. The threat list should be matching against all of its value within url field

0 Karma
Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎03-07-2015 12:01 PM

I've filed a case to request this feature.

0 Karma
Reply
Solved! Jump to solution
Solution

jervin_splunk
Splunk Employee
Splunk Employee
‎02-23-2015 06:47 AM

The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:

$ cat local_threatlist_domains.csv
description,domain
        
test,splunk.com|google.com
        

    ... wait for a while ...
        

$ grep splunk threatlist_by_domain_or_url.csv
    
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain

Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.

We'll coordinate to have the documentation corrected.

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎02-22-2015 06:11 PM

You can separate multivalues with a pipe as a delimter, per the documentation. However, the way ES hashes out the threatlists url values, it's probably most efficient to have multiple values broken out..

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...