I want to use a lookup table as a whitelist for an alert.
1. I created a whitelist.csv lookup table including src, dst, protocol, user, whitelisted
src | dst | protocol | user | whitelisted
192.168.10.1 | 184.108.40.206 | * | * | true
192.168.10.5 | * | * | * | true
* | * | https | bob | true
2. I created a lookup definition with match type: WILDCARD(src), WILDCARD(dst), WILDCARD(user), WILDCARD(protocol)
3. Added following line to my search:
| lookup whitelist.csv src user dst protocol
| where isnull(whitelisted)
But is does not work. Do I need to change anything?
hi @Erfan,This is working for me, make sure your file contains data in the below format. There should not be any space b/w fields and values.