Hello,
I have a CSV file containing two columns URL and IP. I'm using it to retrieve only events were a match is found:
index=sec_ssl host="app-ssl-1" OR host="app-ssl-2" AND dest_port=443
[| inputlookup https_de | rename URL as domain, IP as dest_ip | fields domain, dest_ip]
| stats count as Connections by domain, dest_ip, dest_port
| sort - Connections
| head 10
This works apparently:
But I'd like to extend it a bit. Each event contains a field cipher suite with the cipher suite used for the connection e.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA ...
I have another CSV lookup file that looks like this:
How could I possibly take the Connections count for a given domain + dest+ip pair and get another two columns to provide the ammount of connections that could be decrypted Inline (it should always be equal to Connections) and Passive-Tap should only contain events where the cpiher suite match yes under passive-tap column.
Any hints are more than appreciated!