I have a rather large lookup table of IP addresses and domain names. I keep adding to this list as we get advisories from various groups. The list has gotten so large that I forget what some of them were for, so I have begun to place (in comma delimited form) referring group (aka FBI, SANS, etc.) and what type of attack it is a part of (pony, struts2, etc.). My lookup table works fine, but how do I get the other two entries to be included when I get a hit on an address?
Here is what I have:
index="firewall" dst_ip OR scr_ip( [|inputlookup bad_actors.csv|rename host as query | fields query] ) NOT www.google.com
*the NOT www.google.com is my sanity checker I put in my tables to make sure things are working correctly.
Obviously the search is going to bring up any hits I may get and I can obviously put it into to a report, but I need to know how to get the second and third fields in there to make it useful.
Thanks for looking!
Based on your search, I assume there is a field with name 'query' in your events.
Try following:
index="firewall" dst_ip OR scr_ip NOT www.google.com |lookup bad_actors.csv query OUTPUT referringGroup attackType | where isnotnull(referreingGroup)
Change 'fields query'
to 'fields query referringGroup attackType'
. The last two fields should match whatever is in the header of bad_actors.csv.