Hello,
I am having trouble figuring out where to even start.....
Here is my scenario.
I have a search that is showing me open ports on a system based on a vulnerability scan:
index=vuln_scanner | stats count by dest_dns dest_ip port protocol
Here is an example of the search result:
dest_dns | dest_ip | port | protocol
hi.com | 10.1.1.1 | 80 | tcp | 12
bye.com | 10.2.2.2 | 22 | tcp | 12
splunk.com | 10.3.3.3 | 53 | udp | 5
test.com | 10.4.4.4 | 80 | tcp | 4
nope.com | 10.5.5.5 | 22 | tcp | 3
I have a lookup called "allowed_ports.csv" that includes a list of ports that I have "allowed" (expect to be open) that looks something like this:
1. comment, dest_port, is_allowed, transport
2. http, 80, true, tcp
3. dns, 53, true, udp
How can I make my search query add a column into the results table to show if a certain port is allowed or not? I want something to sort of look like this based on the values in the lookup:
dest_dns | dest_ip | port | protocol | is_allowed
hi.com | 10.1.1.1 | 80 | tcp | true | 12
bye.com | 10.2.2.2 | 22 | tcp | false | 12
splunk.com | 10.3.3.3 | 53 | udp | true | 5
test.com | 10.4.4.4 | 80 | tcp | true | 4
nope.com | 10.5.5.5 | 22 | tcp | false | 3
Instead of true/false I am okay with showing 0/1 or yes/no. Any help would be greatly appreciated.
This should work
index=vuln_scanner
| stats count by dest_dns dest_ip port protocol
| lookup allowed_ports.csv transport as protocol, dest_port as port OUTPUT is_allowed
Please mark a s answer if this is what you were looking for.
Cheers
Hello! Thank you for the response. Unfortunately I am getting the following error:
Error in 'lookup' command: Could not construct lookup 'allowed_ports.csv, transport, as, protocol, dest_port, as, port, OUTPUT, is_allowed'. See search.log for more details.
Hi @agolkar
Have you added additional commas? Could you please paste the line with your lookup command here?
Sure, here you go:
| lookup allowed_ports.csv transport as protocol, dest_port as port OUTPUT is_allowed