|
|
@@ -122,7 +122,7 @@ FROM firewall_logs # The source index
|
|
|
| LOOKUP JOIN threat_list ON source.ip # The lookup index and join field
|
|
|
| WHERE threat_level IS NOT NULL # Filter for rows non-null threat levels
|
|
|
| SORT timestamp # LOOKUP JOIN does not guarantee output order, so you must explicitly sort the results if needed
|
|
|
-| KEEP timestamp, source.ip, destination.ip, action, threat_level, threat_type # Keep only relevant fields
|
|
|
+| KEEP source.ip, action, threat_type, threat_level # Keep only relevant fields
|
|
|
| LIMIT 10 # Limit the output to 10 rows
|
|
|
```
|
|
|
|
|
|
@@ -130,13 +130,11 @@ FROM firewall_logs # The source index
|
|
|
|
|
|
A successful query will output a table. In this example, you can see that the `source.ip` field from the `firewall_logs` index is matched with the `source.ip` field in the `threat_list` index, and the corresponding `threat_level` and `threat_type` fields are added to the output.
|
|
|
|
|
|
-```
|
|
|
- source.ip | action | threat_type | threat_level
|
|
|
----------------+---------------+---------------+---------------
|
|
|
-203.0.113.5 |allow |C2_SERVER |high
|
|
|
-198.51.100.2 |block |SCANNER |medium
|
|
|
-203.0.113.5 |allow |C2_SERVER |high
|
|
|
-```
|
|
|
+|source.ip|action|threat_type|threat_level|
|
|
|
+|---|---|---|---|
|
|
|
+|203.0.113.5|allow|C2_SERVER|high|
|
|
|
+|198.51.100.2|block|SCANNER|medium|
|
|
|
+|203.0.113.5|allow|C2_SERVER|high|
|
|
|
|
|
|
### Additional examples
|
|
|
|
Liam Thompson