Hi all,
I've been banging my head against the wall trying to get this to work.
What I'm trying to do is to use a lookup table as a whitelist for detected security events. This worked great so far as long as I've only been matching on a single field, but I'd like to create more complex rules and it's falling flat.
Here's an example of what I've been using, which works great:
index=secevents
| lookup Threat_Feed_Whitelist md5 OUTPUTNEW iswhitelist as whitelist
| search NOT whitelist IN ("TRUE")
| table src_user cmdline md5 _time
| collect index=alerts source="Threat Feed"
So I analyze all incoming secevents, unless the md5 is in the whitelist, in which case we ignore it. All other events are sent to an alerting index. Right now Threat_Feed_Whitelist consists of columns md5, comments, and iswhitelist.
I'm trying to expand the whitelist to user, cmdline, md5, comments, and iswhitelist. A field might look like:
bob, *powershell*, *, "Patch management engineer", TRUE
If an event came in where the user was bob and the cmdline included "powershell", it should be whitelisted.
I'm not sure how to get this to match on all three fields though. Right now, it will whitelist anything (presumably because one of the columns is a wildcard). This is what I've been trying:
index=secevents
| lookup Threat_Feed_Whitelist user as src_user OUTPUTNEW iswhitelist as whitelist
| lookup Threat_Feed_Whitelist cmdline OUTPUTNEW iswhitelist as whitelist2
| lookup Threat_Feed_Whitelist md5 OUTPUTNEW iswhitelist as whitelist3
| search NOT ( whitelist IN ("TRUE") AND whitelist2 IN ("TRUE") AND whitelist3 IN ("TRUE") )
| table src_user cmdline md5 _time
| collect index=alerts source="Threat Feed"
Is there a way to do a lookup using multiple fields as the key?
... View more
