Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching for Hash Values on the Network

itsmevic
Communicator
‎06-10-2020 02:01 PM

Hello All! 

    I have a .csv file that contains a list of about 100 or so hash values that I'd like to create an alert on so that I'll know if they appear on the network.  I have an inputlookup that I created called "hashes.csv" that contains the values I'd like to monitor.  Does anyone have SPL that I would need in order to do this?  Your help is very much appreciated!  Thanks.  

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-15-2020 08:58 AM

All you'd really need to do is something similar to

|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetype

you could also do something like

index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>

there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch. 

View solution in original post

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-15-2020 08:58 AM

All you'd really need to do is something similar to

|tstats count where index=<interesting_index> [|inputlookup hashes.csv|table <hash_field_name_in_index>] by index sourcetype

you could also do something like

index=<interesting_index> <filtering_data> [|inputlookup hashes.csv|table <hash_field_name_in_index>] | stats max(_time) as last_seen by index<hash_field_name_in_index>

there are honestly a handful of ways you could do this. depends on the input and the output, too. you can also join in the lookup file using | lookup instead of as a subsearch. 

Reply
Solved! Jump to solution

marceloalejandr
Path Finder
‎12-15-2020 06:57 AM

You mentioned "interesting index".   Where and what are the "interesting index" and/or sourcetypes that contain hash values of executable files on Windows?  

What app was used or was Splunk used to scan for specific .dll files or executables at the operating system to generate the file hash value in order to compare it with a "blacklist or whitelist"?

Also does Splunk provide an Add-on or App already that handles file hash value generation or planning to in the near future, for both Windows and Unix-like OSs?   This is an important step for comparing OS files and keeping systems secure.  

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...