Hi, I am a beginner.
I have a correlation rule that :
- searches for IP addresses that are port scans
- search in the lookup table, if each IP address is not listed
- if an IP address is not in the lookup table: make an alert in ES
- add this IP in the lookup table (to avoid duplicates)
I have two lookup tables :
- scan_port.csv
- network_provider.csv
Now I would like to filter the IP addresses by a lookup table (a list of cidr ranges : "network_provider.csv").
If possible, this filter would be first in this correlation rule, to avoid adding a filtered IP in the lookup table "scan_port.csv".
The priority is to:
- Find the port scan of the IPs
- Filter IPs (by the lookup table "network_provider")
- Check for duplicates (by the lookup table "scan_port")
- Make an alert
- Add the IP in the search table (port scan)
As I said, I have a correlation rule for port scans that has been working for years.
I would like to add the filter by cidr range. I have the command (cidrmatch) that works for the filter.
But I can't get it to work, between the port scan lookup and the two lookup tables, I can't find a solution.
Any ideas?
Thanks in advance
@Treize - You can have something like this:
<your-query>
| search NOT [| inputlookup network_provider.csv | table network_ip_range | rename network_ip_range as src_ip] --> Filter IPs (by the lookup table "network_provider")
| search NOT [| inputlookup scan_port.csv | table src_ip] --> Check for duplicates (by the lookup table "scan_port")
| appendpipe [| table src_ip | outputlookup append=true scan_port.csv] --> Add the IP in the search table (port scan)
--> You will have rest of the results left here and ES will generate alert for it according to correlation search rules
Assumptions: (Make changes to query accordingly)
* IP field in your data and scan_port.csv lookup is src_ip
* IP range field in your network_provider.csv lookup is network_ip_range.
I hope this helps!!! Karma/upvote would be appreciated!!!
@Treize - You can have something like this:
<your-query>
| search NOT [| inputlookup network_provider.csv | table network_ip_range | rename network_ip_range as src_ip] --> Filter IPs (by the lookup table "network_provider")
| search NOT [| inputlookup scan_port.csv | table src_ip] --> Check for duplicates (by the lookup table "scan_port")
| appendpipe [| table src_ip | outputlookup append=true scan_port.csv] --> Add the IP in the search table (port scan)
--> You will have rest of the results left here and ES will generate alert for it according to correlation search rules
Assumptions: (Make changes to query accordingly)
* IP field in your data and scan_port.csv lookup is src_ip
* IP range field in your network_provider.csv lookup is network_ip_range.
I hope this helps!!! Karma/upvote would be appreciated!!!
Incredible! You are amazing 😃
I've been searching for 4 days. I am really newbie to this...
Thank you very much, besides solving my problem you just taught me a new way to use SPL, I have to redo my logic.
Thanks again.
@Treize - Yeah. It's called Sub-search. (search within search - anything between [] square brackets)
* It has many use-cases. This is one of that (is to use it to update search query, if you open the job-inspector you will see the generated search query after the replacement of results of the sub-search.
* Useful with other commands like, append, join, etc.
* Use it wisely because to keep performance intact sub-searches are subject to many limits, like max time to run, max results (50k by default), etc.
* Usually for me your use-case is perfect to describe how/where to use the sub-searches.
I hope this helps!!!