Hey all,
I have a fairly simple question.
I have a web proxy index that has a url field.
I have a CSV that contains malicious TLD's (.ru, .cn).
I'm trying to create the right query to match the CSV to this field in the web proxy index ?
So if traffic is seen for url=hackingsite.ru, that it gets compared to the CSV and sees that a .ru domain is bad (so it matches).
index=webproxy [|inputlookup MalciousDNSTLD.csv | fields dns] | eval dns=url | table url
But, I know I am missing something from the query, looking for some generous help.
Thanks.
... View more