Search a series of IP addresses pulled from HTTPS source

Comments

2 comments

  • Avatar
    Ben Newton

    Yes. So:

    1) Run a scheduled search that saves the results - https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/save

    2) And then reference that in your other searches with the lookup operator - https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/lookup

    You can basically try to look up the ip in your search against the lookup and if it isn't found, you will get a null value:

    You could so something like:

    CREATE the LOOKUP

    | parse "ip=*]" as web_ip

    | save /shared/somelookup

     

    USE THE LOOKUP

    | parse "remote_ip=*]" as remote_ip
    | lookup web_ip from /shared/somelookup on web_ip = remote_ip

    | "found" as result
    | if (isNull(web_ip), "not found",result) as result

     

    You can name the lookup file whatever you want, just make sure to use the "/shared/" directory prefix. That will guarantee that anyone can run your search as well.

     

    0
    Comment actions Permalink
  • Avatar
    Scott Johnson

    can you use the lookup function on internally hosted https servers? I have some vulnerability data from scans I want to incorporate into some SecOps dashboards

     

    0
    Comment actions Permalink

Please sign in to leave a comment.