Skip to main content

Threat Feed Lookup

Now we need to add the compromised IP info to our data. This lookup is a little different than a regular CSV-based lookup. In most cases, you're looking for a specific value in one field of the CSV, in order to return one or more result fields from the same line as the match.

This compromised-ips.csv file has just a single field – it's basically just a list of IP addresses, and we only want to check if the field value we're passing in exists somewhere in the file. Instead of using a Lookup Function, we're going to use an Eval Function with a C.Lookup().match() expression.

important
  1. Click the Cribl upper tab.
  2. If you're not already there, select Manage from Stream's top nav, then select Processing > Pipelines from the submenu.
  3. Find and click the firewall_enrich Pipeline.
  4. If you need to refresh your events' display in Stream's right pane: Again click Simple (at the lower right, to the right of the pan_firewall_traffic_conditioned.log sample file), and then click the OUT button at the top of the right pane.
  5. Click the Add Function button near the top of the left pane. Type Eval into the search box, and click the Eval link to add this Function.
  6. Scroll the left pane to the bottom, and click into the new Eval Function.
  7. Under Evaluate Fields, click + Add Field. Put compromised in the Name field, and copy/paste the following into the Value Expression field: 
    C.Lookup('compromised-ips.csv').match(src_ip) ? true : false
  8. Click Save.

This C.Lookup().match() Function checks if the IP address contained in src_ip is present in the lookup file. It returns true if so, false if not. The result is that a new compromised field will show up in every record, with a value of either true or false Compromised Field in an Event.

Let's take a look at the results...

important
  1. Click the Kibana - Events upper tab, and hit Refresh to see the most recent events. If you expand the first event, you should see a new field named compromised.
  2. Click the Kibana - Map upper tab, and hit Refresh to map the most recent events.

You should now see a red border appear around any country that is sending traffic from a compromised IP address. The thickness of the border reflects how many events from compromised IP's are coming from that country. It will look similar to the image below (with some variation, due to the variability of the data). Compromised IP Map View