I think I would use a subsearch here. If you're unfamiliar, it allows you to search the threat index and then use that data to limit a search against your traffic index. Something like this I think might work (untested, fat-fingers likely abound) index=traffic [
search index=threat
| stats count by sus_ip
| eval sus_ip = "\"" . sus_ip . "\""
| table sus_ip
| mvcombine(sus_ip)
| eval sus_ip = "(" . mvjoin(sus_ip,",") . ")"
| eval filter = "src_ip IN " . sus_ip . " OR dst_ip IN " . sus_ip
| return $filter
]
| table src_ip, dst_ip, action so $filter gets built up in the sub search and is returned the main search. So the main search becomes something like index=traffic src_ip IN ("1.2.3.4","2.3.4.5","3.4.5.6") OR dst_ip IN ("1.2.3.4","2.3.4.5","3.4.5.6")
| tables src_ip, dst_ip, action But you won't know which of src or dst is actually the malicious ip. that could probably added with a bit more manipulation with an append or something after the fact.
... View more
