Solved: Re: How do I Search for IP address hitting a Host ...

balu1211 · ‎11-16-2022

gcusello · ‎12-14-2022

sorry but I don't understand: do you want to add ip_details that are in the ip_add.csv lookup?

if this is your need, you could add a lookup command after the stats command.

index=waf action_waf IN ("deny") NOT [ | inputlookup ip_add.csv | table IP | rename IP as "client_ip" | format ]
| rename "attackData.clientIP" as "client_ip","attackData.policyId" as "Policy ID", "attackData.rules{}.message" as "message"
| lookup policyname.csv "Policy ID" OUTPUT "Policy Name"
| stats values(Policy Name) as "policy_name", values(waf_rules) as waf_rules,values(message) as message count by "client_ip","action_waf"
| lookup ip_add.csv IP AS client_ip OUTPUTNEW client_ip_details
| where count > 100
| fields + client_ip_details

Ciao.

Giuseppe

View solution in original post

balu1211 · ‎12-14-2022

@gcusello
In the output i need a whois on that IP like WHOIS.net url

balu1211 · ‎11-16-2022

@gcusello

My use case is like findings the public ip addresses hitting the WAF Host.

gcusello · ‎11-16-2022

Hi @balu1211,

I don't know if someone else is able to help you, but without information I don't know how to do it!

Please, share more information.

Ciao.

Giuseppe

balu1211 · ‎11-16-2022

@gcusello

I have a index waf in which i have to find out the number of unique clientip , policyname,action by host name and adding lookup table in search to exclude ips of lookup table.

gcusello · ‎11-16-2022

Hi @balu1211,

ok, please try something like this (to adapt to your real fields):

index=waf NOT [ | inputlookup your_lookup | fields ip ]
| stats 
   dc(clientip) AS clientip_count
   values(clientip) AS clientip
   dc(policyname) AS policyname_count 
   values(policyname) AS policyname
   dc(action) AS action_count 
   values(action) AS action
   by host

if you don't want the list of values of clientip, policyname and action, remove the values options.

Ciao.

Giuseppe

balu1211 · ‎11-25-2022

.

gcusello · ‎11-16-2022

Hi @balu1211,

which Data Sources have you available (Firewall, VPN, network traffic, operative system, applications)?

Could you better describe your request?

Ciao.

Giuseppe

balu1211 · ‎12-13-2022

.

gcusello · ‎12-13-2022

Hi @balu1211 ,

your search isn't optimized: don't use search after search, put all the serche terme in the main search to have a moro efficient search:

then, use quotes when you have spaces or special chars in field names (e.g. "Policy Name"), but probably it was a copy error.

Other than efficiency, what's the problem of your search?

index=waf action_waf IN ("deny") NOT [ | inputlookup ipadd.csv | table IP | rename IP as "client_ip" | format ]
| lookup policyname.csv "Policy ID" OUTPUT "Policy Name"
| stats 
   values("Policy Name") AS "policy_name" 
   values(waf_rules) AS waf_rules
   values(message) AS message 
   count 
   BY client_ip action_waf

Ciao.

Giuseppe

balu1211 · ‎12-14-2022

...

balu1211 · ‎12-14-2022

@gcusello

Could you please look into this above scenario....

gcusello · ‎12-14-2022

Hi @balu1211 ,

sorry but I don't understand: do you want to add ip_details that are in the ip_add.csv lookup?

if this is your need, you could add a lookup command after the stats command.

index=waf action_waf IN ("deny") NOT [ | inputlookup ip_add.csv | table IP | rename IP as "client_ip" | format ]
| rename "attackData.clientIP" as "client_ip","attackData.policyId" as "Policy ID", "attackData.rules{}.message" as "message"
| lookup policyname.csv "Policy ID" OUTPUT "Policy Name"
| stats values(Policy Name) as "policy_name", values(waf_rules) as waf_rules,values(message) as message count by "client_ip","action_waf"
| lookup ip_add.csv IP AS client_ip OUTPUTNEW client_ip_details
| where count > 100
| fields + client_ip_details

Ciao.

Giuseppe