What i wanted to do is a simple search in our Proxy logs to find accesses to known bad Domain names. Currently we do not have the threatintelligence-app installed.
I created a lookup table that only consists of one column called murl containing domain names hosting malicious sites.
| inputlookup table.csv produces a simple list
covidcyphers.com
covid19sci.com
suite401-covid19.com
covid-taskforce.com
titan-covid19.online
if i use that as a lookup in a search i do not get Matches, also when i use Domains included in the log.
index="proxy" | eval murl=url | lookup table.csv murl AS url OUTPUTNEW murl AS new| where dst like new
(i tryed also "%new%" and Things alike)
I then tryed to use inputlookup in a subsearch instead:
index="proxy" url !="" [inputlookup table.csv where url in(murl) ]
and it told me that the in function Needs a list of strings concatenated by commatas strin1,string2,string4
so i experimented with the Format/return (1000 $murl) commands
index="proxy" where url IN([inputlookup table.csv| fields murl| format "" "" "," "" "" ""])
but did not reach my Goal …
Is there a way to change the inputlookup result into a comma separated list to be used in the IN-function ?
Or does anybody have a search command that can do a partial match by a list of values provided by a lookup table ?
Thank you very much
Kai
Try this:
index="proxy" [ | inputlookup table.csv | eval url="*".murl."*" | fields url | format]
Try this:
index="proxy" [ | inputlookup table.csv | eval url="*".murl."*" | fields url | format]
Thank you very much ! I thought it must be very easy 😉