index=proxy domain=*
| rename domain as emotet_domain
| where
[| inputlookup test
| fields emotet_domain]
| stats values(emotet_domain) as emotetDomain
so inside the lookup list i want to be able to match for example a threat of -- reason.com OR www.reason.com
i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
Assuming that your lookup has domain values like reason.com
, all you need to do is this and then it should work:
inputlookup test
| eval emotet_domain = "*." . emotet_domain
| outputlookup test
Then use it like this:
index=proxy domain=*
| lookup test emotet_domain AS domain OUTPUT emotet_domain AS MATCHED
| where isnotnull(MATCHED)
Thanks this would def help in the future, unfortunately what was below will help even better.
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
So, what this is doing is it is searching all the events that happened and that it matches. I need to match the latest event so it only triggers an alert.
I also need to add more to it as well such as
index=proxy domain=* OR index=network* src_ip=* dest_ip=*
[| inputlookup test
| stats values(emotet_domain) as query, values(emotet_ip) as IP
|format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
| lookup test emotet_ip as dest_ip OUTPUT emotet_ip
| lookup test emotet_ip as src_ip OUTPUT emotet_ip
will this work??
I see what you want.
Let's ask another question.
at the time, please provide Csv sample and setting.