I have a Threat Intelligence search that I would like to filter on based on results, so the scenario is if the Threat Activity is matched in the Network_Traffic datamodel then based on action = (allowed, dropped or blocked) then the action should only send me the allowed traffic and filter out dropped or blocked traffic. | from datamodel:"Threat_Intelligence"."Threat_Activity"
| search NOT [| inputlookup local_intel_whitelist.csv | fields threat_collection_key, dest
| table threat_collection_key, dest
| format "(" "(" "OR" ")" "OR" ")" ]
| append [| map search="search index=netfilter $threat_match_value$" | eval threat_action_value="found" | eval action="*" ] - this is the line I added.
| dedup threat_match_field,threat_match_value | `get_event_id` | table _raw,event_id,source,src,dest,threat*,weight, orig_sourcetype, action | rename weight as record_weight | `per_panel_filter("ppf_threat_activity","threat_match_field,threat_match_value")` | `get_threat_attribution(threat_key)` | rename source_* as threat_source_*,description as threat_description | eval risk_score=case(isnum(record_weight), record_weight, isnum(weight), weight, 1=1, null()) | fields - *time | eval risk_object_type=case(threat_match_field="query" OR threat_match_field=="src" OR threat_match_field=="dest","system",threat_match_field=="src_user" OR threat_match_field=="user","user",1=1,"other") | eval risk_object=threat_match_value | dedup dest | eval urgency=if(threat_category=="_MISP", "medium" , "high")
... View more