I'm attempting to create an automatic lookup that matches src_ip, dest_ip, and signature in returns a "reason" and "status" field. The events always contain src_ip, dest_ip, and signature. In the lookup table, we may have src_ip, dest_ip, and/or signature but not all three are required.
Example lookup "whitelist.csv"
dest_ip,src_ip,signature,reason,status
8.8.8.8/32,0.0.0.0/0,456789,False Positive,Y
0.0.0.0/0,128.72.21.3,987654,Deemed Safe,Y
128.72.56.48,128.72.110.0/24,,Permitted,Y
I've already performed match typing in transforms.conf (see below)
[whitelist]
filename = whitelist.csv
match_type = CIDR(src_ip)
match_type = CIDR(dest_ip)
match_type = WILDCARD(signature)
What I need to happen is for the automatic lookup to match the "reason" and "status" fields based on the combination of src_ip, dest_ip, and signature (note: I'm using the CIDR notation 0.0.0.0/0 to indicate all IPs when the source or destination doesn't matter accordingly). I thought this solution would work but the automatic lookup just isn't functioning.
Any assistance provided is greatly appreciated.
... View more