Hello,
I'm trying to make an automatic lookup for action=success / failure / read / deleted / modified / etc. the problem is that my inputs are coming form multiple fields:
res=success/failed
type=user_auth
type=login
syscall=1/3/4/5/6/n
for example, when my inputs are:
(type=login OR type=user_start) AND res=success
action should be "success"
when:
(type=login OR type=user_auth) AND res=failed
action should be "failure"
and when:
syscall=4
action should be "deleted" (for example, I can map all the linux syscalls)
my props is:
[linux_audit]
LOOKUP-test1 = test_linux input_var1 AS syscall, input_var2 AS type, input_var3 AS res OUTPUTNEW output_var2 AS action
and my transforms is:
[test_linux]
batch_index_query = 0
case_sensitive_match = 0
filename = test_linux.csv
this is my csv:
input_var1,input_var2,input_var3,output_var2
2,,,read
,USER_LOGIN,failed,failure
,USER_START,failed,failure
,USER_LOGIN,success,success
,USER_START,success,success
Im not getting the 'action' field. I know i can do this easily with and EVAL case function, but I want to test if such lookup is posible. I mean, if an event meets the lookup requirement, it's action field should match to success/failure/deleted/modified/etc.
Thanks!