I have a rather large lookup table of IP addresses and domain names. I keep adding to this list as we get advisories from various groups. The list has gotten so large that I forget what some of them were for, so I have begun to place (in comma delimited form) referring group (aka FBI, SANS, etc.) and what type of attack it is a part of (pony, struts2, etc.). My lookup table works fine, but how do I get the other two entries to be included when I get a hit on an address?
Here is what I have:
index="firewall" dst_ip OR scr_ip( [|inputlookup bad_actors.csv|rename host as query | fields query] ) NOT www.google.com
*the NOT www.google.com is my sanity checker I put in my tables to make sure things are working correctly.
Obviously the search is going to bring up any hits I may get and I can obviously put it into to a report, but I need to know how to get the second and third fields in there to make it useful.
Thanks for looking!
Based on your search, I assume there is a field with name 'query' in your events.
index="firewall" dst_ip OR scr_ip NOT www.google.com |lookup bad_actors.csv query OUTPUT referringGroup attackType | where isnotnull(referreingGroup)
'fields query' to
'fields query referringGroup attackType'. The last two fields should match whatever is in the header of bad_actors.csv.