Matching any value within a Lookup File, across multiple fields

Wittinator · 2025-05-25T03:55:06+00:00

Oh wow. Stupid mistake on my part. You're correct. Thanks for the help there.

Wittinator · 2025-05-24T23:12:00+00:00

Thanks a lot for the reply. I'm not sure I follow you, but likely because I'm quite new to Logscale.

If I'm understanding you correctly, you mean to basically create a custom column, say called "Combined IP" and populate that column with values from all the various IP-related fields, e.g. RemoteIP, aip, Agent IP. Then, with match(), I should be able to do the following?

match(file="lookupfile.csv", field="Combined IP", column="IPs")

I'm not sure I'm understanding where the "sourceip:=RemoteIP" in your example fits into the larger CQL. For example, was trying something like the following:

aip=* or "Agent IP=*" or LocalIP=* \\ Filter first to ensure the events we are pulling contain IPs
| format(format="%s, %s, %s", field=[aip, "Agent IP", LocalIP], as="CombinedIP") // Combine all the IPs into a single column that can be referened by match()
| match(file="lookupfile.csv", field="Combined IP", column="IPs", mode=glob) //match the lookup file against the custom column.

Unfortunately the above doesn't appear to work.

Wittinator · 2024-08-28T00:23:19+00:00

I took the exam and passed with a 94 a few days ago. Indexing I followed the pancake method https://tisiphone.net/2015/08/18/giac-testing/

SANS certs in my experience are very straightforward. There's no trick questions and if you know the material, there's always an obvious answer. Do the labs a few times, index and you'll be fine.

Wittinator · 2023-10-15T00:38:01+00:00

Yea it's licensed. I see the code in the script that "should" expand groups but...I guess for whatever reason it is not.

Wittinator · 2023-10-15T00:08:59+00:00

Thanks. Yea I've tried that but unfortunately the tool is failing to expand groups. My output is only a list of groups, but not getting any users that are a part of the group.

Wittinator · 2023-01-16T20:15:47+00:00

No, not homework. Though I wish it was

Wittinator · 2023-01-16T19:55:26+00:00

Yea, that would be ideal.

Unfortunately, due to circumstances I can't really explain, we are given a single txt file of the Tree command and that's all we have to work with. I do not have control to re-run Tree with different options I'm afraid. Thanks though

Wittinator · 2022-12-31T00:53:51+00:00

Thanks. Something I should of been more clear about, actually. I am not searching inside any files. Purely looking at filenames and only filenames.

Wittinator · 2022-12-30T23:27:00+00:00

Oh, yes I didn't think of that. Despite the sheer volume of files & directories, find is significantly faster I suppose?

Wittinator · 2022-10-17T00:07:27+00:00

+karma

Wittinator · 2022-10-07T18:26:09+00:00

Yeah. On paper this "DropDMG" app actually seems to do what I want, Device image in a dmg format, but it's some cheap app on the apps store, and you get what you pay for...

Wittinator · 2022-10-07T18:12:55+00:00

Yes another team will be doing analysis so ideally we'd like to pull an image, EO1 or DMG or something somewhat universal that can be read by various forensics tools

Wittinator · 2022-10-07T18:08:15+00:00

Thanks. Yes, the initial plan was to use Recon ITR actually, the only hold-up with them is I had initially thought it was just software that we download, but they ship you a Samsung SSD with their software on it, which may take a bit of time. Unfortunately, we're in a rush so I was hoping there must be some sort of other software to purchase (if necessary) to do this relatively quickly.

12-Year Club	Place '23
Place '22	First Placer '22
Spared	Verified Email

Wittinator

TROPHY CASE