I want to create an alert that triggers when a src_ip OR dest_ip exists in a lookup table (e.g. threat_ip_list.csv). But I'm not sure how to create the search string for this. The fields I'm using in the threat_ip_list lookup table are as follows:
src_ip, dest_ip, threat_country, threat_name
(NOTE: The src_ip and dest_ip field values are duplicates of each other in the lookup table.)
If the src_ip OR dest_ip matches an IP address listed in the table, the alert should trigger and provide the threat_country and threat_name information. Any recommendations on how to do this are greatly appreciated.
Try like this
your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
Try like this
your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
Thank you. I ran the search you provided. Had problems with the "lookup threat_ip_list.csv src_ip as ip_address" and "lookup threat_ip_list.csv dest_ip as ip_address" lines. But I worked around it by adding src_ip and dest_ip fields in the lookup table and giving them equivalent ip values and removing the "as ip_address" from the search string.
Everything else worked great!
Try this
index=somelogs [|inputlookup threat_ip_list.csv | table src_ip | rename src_ip AS search ]