Using lookup table with host-ip association

User2 — Fri, 17 Nov 2023 09:15:04 GMT

Hi, I would like to ask a question regarding the lookups table.

I am managing logs about login and I want to be sure that on a specific host you can access only with a specific IP address, otherwise alert is triggered.

So basically I have a lookup built like this

IP	HOST
1.1.1.1	host1
2.2.2.2	host2
3.3.3.3	host3

My purpose is to build a query search that finds whenever the IP-HOST association is not respected.

1.1.1.1 connects to host1 ---> OK

1.1.1.1 connects to host2 ---> BAD

2.2.2.2 connects to host1 ---> BAD

The connection from host1 should arrive only from 1.1.1.1, etc..

How can I text this query?

Thank you

Re: Using lookup table with host-ip association

PickleRick — Fri, 17 Nov 2023 10:22:35 GMT

Just do a lookup using both fields (source IP and destination host) and output one of those fields as a new field.

Something like

| lookup allowed_ips IP AS src_ip HOST as dst_host OUTPUT HOST AS matchhost

This will create a field called matchhost which will be populated only if both src_ip and dst_host in your event match one of the entries from your lookup.
You can now search for the events matching or not matching your criteria by verifying if matchhost is null or not.

topic Using lookup table with host-ip association in Splunk Search

Using lookup table with host-ip association

Re: Using lookup table with host-ip association