I am having issues with displaying data based off the results from the lookup table.
I am using this search below, which works perfectly fine but the only issue I have is, it does not tell me which IOC caused the event to be generated. I can tell by looking at the raw event or other interesting fields but that is time consuming which beats the purpose of the dashboard that I am building out.
Search:
Index=zyx [|inputlookup URLList.csv | rename BI_URL as query | fields query]
|lookup URLList.csv BI_URL AS url OUTPUTNEW BI_URL IOCs_ADDED_DATE REPORT_TYPE THREAT_TYPE
|lookup URLList.csv BI_URL AS dest_hostname OUTPUTNEW BI_URL IOCs_ADDED_DATE REPORT_TYPE THREAT_TYPE
|lookup URLList.csv BI_URL AS dest OUTPUTNEW BI_URL IOCs_ADDED_DATE REPORT_TYPE THREAT_TYPE
|rename BI_URL as IOC_Match
|table _time IOC_Match IOCs_ADDED_DATE REPORT_TYPE THREAT_TYPE index sourcetype url dest dest_ip src_ip _raw
Events are being generated but these fields are return blank:
IOC_Match IOCs_ADDED_DATE REPORT_TYPE THREAT_TYPE.
Here is scenario:
so let say in the lookup table i have a IOC value, cnn.com and i run the query above.
which will work perfectly fine. it will show there was network traffic going out to money.cnn.com or cnn.com/xyz and it will show that in the dest or url field. How can i make that show the IOC cnn.com? I have the lookup table to display in the IOC_Match column?
↧