I have a lookup table (imported CSV) containing lots of Indicators of compromise in a format like this:
Is there any way to combine this lookup table with a search like this:
exists:url AND lookup(ioc_lookup, url)
I.e. I want to find all events where a certain field exists and if so I want to search through the lookup table.
This would be tremendously helpful to find past Zero-Day Exploits whose IOCs weren’t in the lookup table at the point when the incident happened.
This posts seams to be the same as this one…
1. Describe your incident:
I am trying to create a data adapter whose values I can lookup by using a regex pattern.
Let’s say I have values like this in my CSV:
Is there a way to search through the data adapter by using a regex like e.g. .malicious-address.br.
Yeah you can do that, it also depends on the type of data adapter your using.
Thanks but that is not what I meant.
I want to match every event with a condition against my lookup table. But perhaps that is something one could combine.
Let me describe it more in detail in the other thread.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.