I want to create an alert that triggers when a srcip OR destip exists in a lookup table (e.g. threatiplist.csv). But I'm not sure how to create the search string for this. The fields I'm using in the threatiplist lookup table are as follows:
srcip, destip, threatcountry, threatname
(NOTE: The srcip and destip field values are duplicates of each other in the lookup table.)
If the srcip OR destip matches an IP address listed in the table, the alert should trigger and provide the threatcountry and threatname information. Any recommendations on how to do this are greatly appreciated.
Try like this
your search to get ip_address field which contains the ip | lookup threat_ip_list.csv src_ip as ip_address OUTPUT threat_country as threat_country1, threat_name as threat_name1 | lookup threat_ip_list.csv dest_ip as ip_address OUTPUT threat_country as threat_country2, threat_name as threat_name2 | where isnotnull(threat_country1) OR isnotnull(threat_country2) | eval threat_country=coalesce(threat_country1,threat_country2) | eval threat_name=coalesce(threat_name1,threat_name2)| table ip_address threat_country threat_name
Thank you. I ran the search you provided. Had problems with the "lookup threatiplist.csv srcip as ipaddress" and "lookup threatiplist.csv destip as ipaddress" lines. But I worked around it by adding srcip and destip fields in the lookup table and giving them equivalent ip values and removing the "as ip_address" from the search string.
Everything else worked great!