I thought analysts were such data nerds they could normalize a database with hands tied in the back😉 But OK if they are not. All you need to do is to design a language that they can work with, then, produce the actual lookup programmatically. For example, they can use "|" to represent logical "OR" like in many programming languages, and input the following rule: description parent_process parent_process_path process process_md5 process_path score Office: Execution susp child (cmd) * C:\Program Files (x86)\Microsoft Office\root\Office* * * cmd.exe|wscript.exe|powershell.exe|mshta.exe 80 Save this to analyst_rule.csv. Then run the following: | inputcsv analyst_rule.csv
| eval process_path = split(process_path, "|")
| mvexpand process_path
| eval description = description . " (" . replace(process_path, "\..+", "") . ")" ``` this is perhaps unnecessary ```
| outputlookup real_rule The real_rule table will look like description parent_process parent_process_path process process_md5 process_path score Office: Execution susp child (cmd) * C:\Program Files (x86)\Microsoft Office\root\Office* * * cmd.exe 80 Office: Execution susp child (wscript) * C:\Program Files (x86)\Microsoft Office\root\Office* * * wscript.exe 80 Office: Execution susp child (powershell) * C:\Program Files (x86)\Microsoft Office\root\Office* * * powershell.exe 80 Office: Execution susp child (mshta) * C:\Program Files (x86)\Microsoft Office\root\Office* * * mshta.exe 80 This is just one of possible solutions to improve usability.
... View more