Hello,
I currently have a search against our firewalls, below is the current search.
index=(my index) sourcetype="my_source" ipsrcip!=(ip)
I have a lookup file called 'threatip' that contains a list of source IP's in the first column named 'ip'. I would like to create a search that presents events from the initial search where the source IP from the lookup matches the source IP in the firewall logs.
Firewall log fields -
Source IP - 'srcip'
Lookup Table Fields -
Source IP - 'ip'
It seems so simple yet I am having some issues with it, advice would be much appreciated.
Thank you,
Nick.
... View more