Nee help on this plugin #11
Description
Pertaining to my thread started on Graylog - Would you be able to help me on my below issue?
Here is the info
DNS RPZ Stream
Stream ID = 5b9e7dfdc4445a03714dfd72
Field = qdomain
String = sway.office.com
AD logs Stream => Remote stream
Stream ID = 5d7f8e434980dd02c2fffb34
Field = packetbeat_dns_question_name
String = packetbeat_client_ip
As per above, I need to find out if qdomain Field from stream [5b9e7dfdc4445a03714dfd72] matches with packetbeat_dns_question_name from [5d7f8e434980dd02c2fffb34] then return recent packetbeat_client_ip from [5d7f8e434980dd02c2fffb34]
Here is my rule
rule "find_orig_client_ip - new"
when
has_field ("qdomain")
then
let orig_client_ip = slookup("5d7f8e434980dd02c2fffb34", "qdomain", "packetbeat_dns_question_name", ["packetbeat_client_ip"], "180", "desc");
set_field("packetbeat_client_ip", to_string(orig_client_ip));
end
I am not able to get the proper results. My queries are -
I am attaching this pipeline to DNS RPZ stream [5b9e7dfdc4445a03714dfd72] so per slookup help
Remote stream => 5d7f8e434980dd02c2fffb34
srcField => qdomain
dstField => packetbeat_dns_question_name
rtnField => packetbeat_client_ip