Hi, am working on a lookup in a lookup.
i have the following search:
index=* source="*WinEventLog:Security" EventCode=4688
[| inputlookup attacktoolsh.csv WHERE discovery_or_attack=attack | stats...
See more...
Hi, am working on a lookup in a lookup.
i have the following search:
index=* source="*WinEventLog:Security" EventCode=4688
[| inputlookup attacktoolsh.csv WHERE discovery_or_attack=attack | stats values(filename) as
search | format]
| transaction host maxpause=10m
| where eventcount>=5
| fields - _raw closed_txn field_match_sum linecount
|table ComputerName, New_Process_Name, Process_Command_Line, _time, eventcount
This works fine, the lookup attactoolsh.csv has the tools, an i have a hit on a client.
now i would like to intergrate a second lookup file in the search that looks a file with a computername/username in it, that if the search hits on attacktoolsh.csv it looks in the second file and if a computer/user is in that file the search should not produce a notable. in short, computer A is running "nmap" this is allowed on computer A and Computer A is in the second file. Computer B is running "nmap" and is not allowed to run this, so produce a notable / warning. anybody an idea how to intergrate this toghter.
Thanks.