Use Lookup Table to search trough past data

dmuensterer · October 10, 2022, 3:57pm

I have a lookup table (imported CSV) containing lots of Indicators of compromise in a format like this:
ioc_value,ioc_type
e8bf8789a98b009c98d98c98,md5
https://malicious.com,url

Is there any way to combine this lookup table with a search like this:
exists:url AND lookup(ioc_lookup, url)

I.e. I want to find all events where a certain field exists and if so I want to search through the lookup table.

This would be tremendously helpful to find past Zero-Day Exploits whose IOCs weren’t in the lookup table at the point when the incident happened.

gsmith · October 11, 2022, 12:19am

Hello,

This posts seams to be the same as this one…

Yeah you can do that, it also depends on the type of data adapter your using.

dmuensterer · October 11, 2022, 5:29am

Thanks but that is not what I meant.
I want to match every event with a condition against my lookup table. But perhaps that is something one could combine.
Let me describe it more in detail in the other thread.

system · October 25, 2022, 5:29am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Search through CSV Data adapter via Regex Graylog Central (peer support)	7	406	October 25, 2022
Some questions about lookup tables Graylog Central (peer support)	5	1476	October 17, 2017
CSV lookup not working Graylog Central (peer support)	6	547	February 23, 2023
Lookup table using data stored in MySQL? Graylog Central (peer support)	2	685	March 18, 2021
Database Data Adapter Graylog Central (peer support)	2	1827	August 7, 2018

Use Lookup Table to search trough past data

Related topics