Skip to main content
 
 
 
Splunk Lantern

IP address identification based on host name

 

A Windows desktop has been infected by ransomware, and you need to identify the IP address of the infected machine as part of your investigation.

Required data

System log data

Procedure

  1. Run the following search.You can optimize it by specifying an index and adjusting the time range.
    <hostname> 
  2. In the field sections on the left, find and click sourcetype.
  3. Click the value with the highest count to add it to the search. 
  4. In the field sections on the left, find and click src_ip.

Next steps

This search returns the IP address most likely associated with the host name of the infected machine.

Finally, you might be interested in other processes associated with the Investigating a ransomware attack use case.