Here is an overview of what I'm trying to accomplish. I have created a table that uses information in the threat activity index that shows shows the connections by source IPs to malicious IPs. I need to query our firewall index to determine if the connection was allowed or blocked by the destination and add it to the table.
The sub search would need to be something like
"index=firewall sourcetype=firewall:IPS dest=$destIP$ (results from root search) | table action".
Im not sure how I would run a query that would add the action field to the table.
index=threat_activity source="Threat - Source And Destination Matches - Threat Gen" dest* threat_match_field=dest | eval time=strftime(_time, "%d/%m/%y %H:%M:%S") | iplocation dest| stats count as "Count" sparkline(Count) as "Sparkline" values(dest) as "Malicious IPs" values(threat_key) as "Threat Feed" earliest(time) AS "Earliest Time", latest(time) AS "Latest Time" values(Country) as "Country" by src |table src "Sparkline" "Malicious IPs" "Country" "Threat Feed" "Earliest Time" "Latest Time" Count|rename src as "Source IP" |sort -Count
↧