Use Lookup Table to search trough past data

dmuensterer · October 10, 2022, 3:57pm

I have a lookup table (imported CSV) containing lots of Indicators of compromise in a format like this:
ioc_value,ioc_type
e8bf8789a98b009c98d98c98,md5
https://malicious.com,url

Is there any way to combine this lookup table with a search like this:
exists:url AND lookup(ioc_lookup, url)

I.e. I want to find all events where a certain field exists and if so I want to search through the lookup table.

This would be tremendously helpful to find past Zero-Day Exploits whose IOCs weren’t in the lookup table at the point when the incident happened.

gsmith · October 11, 2022, 12:19am

Hello,

This posts seams to be the same as this one…

Yeah you can do that, it also depends on the type of data adapter your using.

dmuensterer · October 11, 2022, 5:29am

Thanks but that is not what I meant.
I want to match every event with a condition against my lookup table. But perhaps that is something one could combine.
Let me describe it more in detail in the other thread.

system · October 25, 2022, 5:29am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Search through CSV Data adapter via Regex Graylog Central (peer support)	7	351	October 25, 2022
Lookup table composed key Graylog Central (peer support) pipeline-rules	3	1066	July 23, 2020
CSV lookup not working Graylog Central (peer support)	6	365	February 23, 2023
Lookup table using data stored in MySQL? Graylog Central (peer support)	2	643	March 18, 2021
Using CSV lookup table to create more fields in message stream? Graylog Central (peer support) pipeline-rules	6	357	November 27, 2023

Use Lookup Table to search trough past data

Related Topics