Hi,
I have a query that produces the results I want but now I need to add some extra fields to the events.
I have a lookup csv (e.g. Bad_IOC.csv) with column names "type and value".
Under "type" I may have domains, hashes, IP(s) and under "value" I will have the corresponding , "domain.tld", "file-hashes", "ip_addresses".
Example query
Index = network_data sourcetype=foo [inputlookup Bad_IOC.csv | fields value | rename value as search | format maxresults =1000] | stats values(URL)
Index=network_data contains a field called "URL" which contains strings with domains I want to match against Bad_IOC.csv lookup.
The results of the above query successfully finds matches of URL values with listed domains on Bad_IOC.csv. Lets say "malicious.com" is on the Bad_IOC.csv and when I run the query I get one exact match "malicious.com" and two matches with the pattern "malicious.com" i.e. cdn.malicious.com and san.cdn.malicious.com.edgekey.net...
What I need is to produce table where the following additional information is appended.
URL match type
cdn.malicious.com malicious.com domain
san.cdn.malicious.com.edgekey.net malicious.com domain
malicious.com malicious.com domain
Please advise the best what to create new output from the matches.
The objective is primarily to tag the matches with the ioc (in this case domain "malicious.com") and the type (which is domain)..
Thank you
... View more