I would like to black list (get alert) for all the ports excepting the approved port list using interesting port list.
Please advise on the available options to achieve this.
Since the interesting ports list in ES is stored in a lookup you can build a SPL query alert based on:
| inputlookup interesting_ports.csv
use the fields is_prohibited=true I guess.
I think re articulating the question would help to get the nearest answer.. I want to mark every other port as prohibited except the approved ports in my environment.
Same counts for that I guess. You can modify the interesting_ports.csv to match your needs.