IP Watchlist Lookup

nlisle · ‎11-08-2019

Hello,

I currently have a search against our firewalls, below is the current search.

index=(my index) sourcetype="my_source" ipsrcip!=(ip)

I have a lookup file called 'threatip' that contains a list of source IP's in the first column named 'ip'. I would like to create a search that presents events from the initial search where the source IP from the lookup matches the source IP in the firewall logs.

Firewall log fields -

Source IP - 'srcip'

Lookup Table Fields -

Source IP - 'ip'

It seems so simple yet I am having some issues with it, advice would be much appreciated.

Thank you,
Nick.

jbillings · ‎02-11-2020

Try this
index=(my index) sourcetype="my_source" |search [|inputlookup threatip.csv | fields ip |rename ip as srcip]

woodcock · ‎11-08-2019

Like this:

index="myIndex" AND sourcetype="my_source" AND ipsrcip!=(ip) AND [|inputlookup MyLookupFile.csv | rename ip as srcip | table srcip]

OR

index="myIndex" AND sourcetype="my_source" AND ipsrcip!=(ip)
| lookup MyLookupFile.csv ip AS srcip OUTPUT ip AS MATCHED
| where isnotnull(MATCHED)

gcusello · ‎11-08-2019

Hi nlisle,
please try something like this:

index=my index sourcetype="my_source" [ | inputlookup threatip | rename ip AS srcip | fields srcip ]
| ...

Ciao.
Giuseppe

nlisle · ‎11-08-2019

Hi Giuseppe, I have tried this search however I receive no results. I can confirm that I have already added some data into the lookup, IP's that have hit the firewall in the past 30 days. I am also running my search over the last 30 days. Thanks.

IP Watchlist Lookup

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies