Lookup Tables

A collection of various useful lookup tables for Splunk, or any other program that can parse CSVs (Python, Excel, etc). Lookups provide an easy way to enrich your data by using a separate file to add context to your logs.

Regarding Splunk lookups, here is official Splunk lookup documentation, this one from Hurricane Labs, or follow the steps below:

• Settings --> Lookups
  • Lookup table files --> Add new
    • upload the table, provide the name of the file as it will appear in Splunk (just use the same name AND INCLUDE THE EXTENSION)
  • Lookup definitions --> Add new
    • select the app (likely Search), set the name (same as the CSV name, MINUS the extension, or with _definition suffix), File-based, select the lookup added in the previous step
    • Advanced options --> un-check "Case sensitive match"
  • Automatic lookups --> Add new
    • set the name, select the lookup definition (again, based on the file uploaded), set the sourcetype to be affected
    • input field: left is the name inside the CSV/definition, right is field name CURRENTLY in the Splunk database. This is how the CSV joins/aligns itself to Splunk data.
    • output field: left is the name inside the CSV/definition, right is field name as it WILL appear in Splunk query results

The general naming convention, with few exceptions, is type_field-name-as-seen-in-Splunk_table.csv

TO DO:

• Get all of the lists!

Lookup Tables

• dns_record_types.csv
  • DNS record types from Wikipedia
• html_link_dict.dictionary
  • collection of HTML tags and attributes known to contain links (though some may contain other objects); not all-inclusive; used by extractlinks as "link_dict"
• mitre_attack_v7_table.csv
  • MITRE ATT&CK framework v7, including sub-techniques
  • updated 2020-07-29
• network_http_status.csv
  • for HTTP codes, from Splunk documentation
  • useful for Zeek or any other log type where HTTP status codes are found
• sysmon_EventCode_table.csv
  • for Sysmon event codes
• windows_EventCode_table.csv
  • Windows 7/Vista/8/10, Windows Server 2008/2012R2/2016/2019
  • sources: Ultimate Windows Security, Andrea Fortuna
• windows_EventCode_table_old-XP-2000-2003.csv
  • Windows 2000/XP and Windows Server 2003
  • sources: Ultimate Windows Security, Andrea Fortuna
• windows_ControlAccessRights_table.csv
  • sources: MS-ADTS 5.1.3.2.1 Control Access Rights, Access Control Entry definition
• windows_Impersonation_Level_table.csv
  • for COM impersonation levels, seen in Windows Security logs, from Microsoft documentation
• windows_Logon_Type_table.csv
  • collection of Windows logon types, seen in Windows Security logs, from Microsoft documentation
• windows_ProcessSpecificAccessRights_table.csv
  • describes Windows process-specific access rights; useful for investigating Sysmon event code 10, "Process Access"
  • sources: Microsoft, Roberto Rodriguez
• windows_system_error_codes_table.csv
  • collection of Windows error codes, from Microsoft documentation
• wlan_frame_types.csv
  • types (management, control, data, extension) and subtypes (probe request, response, etc)
  • source: Wikipedia
  • note: if using Python and Scapy, use zfill if desired: type = str(bin(pkt.type)[2:].zfill(2)) subType = str(bin(pkt.subtype)[2:].zfill(4))
• wlan_frame_types.dictionary
  • a Python dictionary version of wlan_frame_types.csv
  • optionally use typeName = types[type]["description"] subTypeName = types[type]["subtype"][subType]["description"] if also using the above type/subType variables
• zeek_conn_state_table.csv
  • a for Zeek's conn_state field