I need to create a correlation search that would trigger an alert if it found a match from IPs from:
| inputlookup ip_spywarelist.csv against an indexer (i.e: index=FW)
Any step-by-step guidance?
Hi @Kitag345,
if you have the Splunk Enterprise Security, you can add this lookup to the ones used in the Threat Intelligence Monitoring.
If you haven't it, you can run a simple search like this:
if the field in the lookup for searching is "IP", you can run something like this:
index=fw [ | inputlookup ip_spywarelist.csv | rename IP AS query | fields query ]
in this way you perform a full text search on that index to find any occurrence of the IP field in your lookup.
Ciao.
Giuseppe