Search through CSV Data adapter via Regex

dmuensterer · October 8, 2022, 7:44pm

1. Describe your incident:
I am trying to create a data adapter whose values I can lookup by using a regex pattern.
Let’s say I have values like this in my CSV:

url,status
https://attacker-ip.com/1234,online
http://malicious-address.br/abc,online

Is there a way to search through the data adapter by using a regex like e.g. .malicious-address.br.

ihe · October 10, 2022, 12:38pm

just to recap you problem: you have a CSV with

url,status
https://attacker-ip.com/1234,online
http://malicious-address.br/abc,online

and you have a field in one of you messages with

.malicious-address.br.

now you want to to a little regex-magic to find that domain in your CSV?
I would recommend to extract all the domains from your CSV into another CSV and search in that from your lookup table.
Then extract the exact domain name from your field and use this for the search in the new domain-only CSV.

dmuensterer · October 10, 2022, 2:32pm

That’s exactly what I want to do.
Okay, seems like it’s not possible then, unfortunate!

gsmith · October 10, 2022, 9:50pm

Hello,

If you can give use some more info or examples, perhaps I can lab.

dmuensterer · October 11, 2022, 7:54am

Hi gsmith,
thanks for the reply.
Please have a look at the Github issue where I’ve explained it with some example more in detail:

github.com/Graylog2/graylog2-server

Feature to use Lookup Tables in search queries

opened 05:46PM - 10 Oct 22 UTC

dmuensterer

feature

## What? I would be great to have a feature to use lookup tables in search qu…eries. I.e. for every event matching the search condition so far, make a lookup in the lookup table. Useful queries to be supported could be: - equals - matches (regex matching) - contains - startswith - endswith For a given lookup Table _ioc-lookup_ and a key _domain_, a search syntax could look like the following: `_exists_:domain AND lookup(ioc-lookup, equals(domain), destinationField)` This should only return results if the field _domain_ exists and if there is an entry for the respective domain field in the lookup table and set the field destinationField to the looked up value for those results. another example could be: `_exists_:url AND lookup(ioc-lookup, matches(url, ".*(?:.com|.net).*"), destinationField)` This should only return results where the field `url` exists and matches the regex, i.e. .com and .net domains with any string before and agter. The search could return after the first match if there were multiple matches found in the lookup table and set the field destinationField to the looked up value for those results. ## Why? Let’s assume all client DNS lookups are logged. A user clicks on a phishing link and enters his credentials. Since the phishing site is very new, the domain is not contained in any IOC database and therefore a lookup of the domain in the Pipeline is not successful. 10 days later, the phishing domain is known and in the lookup table. It would be awesome to be able to make a search if any client was affected in the past. ## Your Environment Applicable for any environment.

I’m looking forward to hearing your feedback on feasibility.

ihe · October 11, 2022, 9:38am

Quote from the git:

Why?
Let’s assume all client DNS lookups are logged. A user clicks on a phishing link and enters his credentials.
Since the phishing site is very new, the domain is not contained in any IOC database and therefore a lookup of the domain in the Pipeline is not successful.
10 days later, the phishing domain is known and in the lookup table.
It would be awesome to be able to make a search if any client was affected in the past.

I agree, that searching through your older logs for new IOCs is a valid scenario. But I don’t see a way to put old logs through the pipeline once again. Decorators will not do, as they only process logs shown on your screen and it is not possible to filter based on results of their decorations.
So far we are helping ourselves with a litte script doing queries on the stream. Everytime we add a new IOC we scan the last days for it. This is a little python-magic outside of Graylog, but does the job. If we have findings we send them as new logs into Graylog with GELF from that script.

dmuensterer · October 11, 2022, 10:08am

Exactly, I don’t see the solution in putting old logs through the pipeline again but much rather implementing a feature similar to your Python solution into Graylog, that is, being able to use lookup tables not only for decorators and pipelines but also search queries.
This feature would allow endless opportunities for log enrichment and searching.

system · October 25, 2022, 10:09am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use Lookup Table to search trough past data Graylog Central (peer support)	3	451	October 25, 2022
Reference a known malicious CSV list of I.P Addresses Graylog Central (peer support)	8	1526	December 29, 2017
Some questions about lookup tables Graylog Central (peer support)	5	1476	October 17, 2017
CSV Lookup Table - Source IP to Site Name Development	2	1216	September 29, 2018
Database Data Adapter Graylog Central (peer support)	2	1827	August 7, 2018

Search through CSV Data adapter via Regex

Related topics