Where Did You Go?

We should also create a Lookup for the Destination IP addresses for completeness. This should be quick, though since a Lookup for Destination IPs is almost a copy and paste of the Source IP Lookup.

important

Copy and paste the Lookup Function

  1. Click ... on the right of the Lookup
  2. Click Copy
  3. Paste the function in by
    • Clicking the Paste Function icon to the left of + Function in the top right
      OR
    • Using your computers paste shortcut (for example: command + v on Mac)

Change the following information in the second Lookup Function

  1. Change Filter to 
    C.Net.isPrivate(dst_ip)
  2. Under Lookup Fields, change Lookup Field Name in Event to dst_ip
  3. Under Output Fields, change Lookup Field Name in Event to dst_subnet_usage
  4. Click Save

Awesome. Let’s save our Pipeline and check what it does to the Sample Data.

Checking Our Work

The right Sample Data Pane displays all the sample data that has either been uploaded (captured elsewhere) or sampled from one of the configured Sources. In our case, our sample data is Palo Alto firewall logs that were sampled live from the connected syslog:paloalto Source.

important

Preview the Pipeline with Sample Data

  1. Click Simple on the far right of the pan_firewall_traffic.log entry
  2. In the top left of the Sample Pane click Out to show the output of our Pipeline

Stream displays how our Functions transform the data inside a Pipeline. We have discussed this in our previous courses, so today we are just going to click and look.

We have two new possible fields (shown in green): src_subnet_usage and dst_subnet_usage.

Now that we know it’s working, on to the next step: Replaying the archived data.

Lookup - SourceReconfigure the Collector