I want to push the internal IP address (or host name) in a reference set, whenever I see any communication with blacklisted IP address (by threat Intel). Further, I want to correlate the same internal IP/ Host name (which communicated with the blacklisted IP) with Antivirus logs to check if it got infected by some malware.
The lookup would contain blacklisted IPs, and a search would run against the lookup. Something like this.
index=firewalls [|inputlookup blacklist.csv | fields ip | rename ip as dst | return 0 dst]
The above search would open blacklist.csv, retrieve only the column named ip, rename ip to dst, and return all ip/dst to the main search. It would end up with a final search looking like this:
index=firewall dst=10.0.0.1 OR dst=10.0.0.2 OR dst=10.0.0.3
Now you can take the results of this search to a summary index using the collect command, and finally you can use the summary index in searches to correlate Internal IPs which have communicated with Blacklisted IPs to Antivirus logs, etc.