LOOKUP JOIN: cruzar el tráfico con IOCs de threat intel
Unión del tráfico de red saliente con un índice de indicadores de compromiso — solo los destinos coincidentes conservan los campos threat.*.
Requisitos
Elasticsearch 8.18+, index threat_iocs en mode lookup
SQL
FROM logs-network-*
| WHERE network.direction == "outbound"
AND @timestamp >= NOW() - 30 days
| LOOKUP JOIN threat_iocs ON destination.ip
| WHERE threat.indicator.type IS NOT NULL
| STATS
connexions = COUNT(*),
hotes_internes = VALUES(host.name),
premiere = MIN(@timestamp)
BY destination.ip, threat.indicator.description
| SORT connexions DESC
| LIMIT 50Resultado
destination.ip | threat.indicator.description | connexions | hotes_internes | premiere ---------------+-----------------------------------+------------+---------------------------+------------------------- 203.0.113.42 | C2 Cobalt Strike (campagne avril) | 214 | [ws-compta-04, dev-ws-12] | 2026-05-18T09:12:44.000Z 198.51.100.77 | Botnet Mirai - noeud actif | 48 | [iot-cam-07] | 2026-06-02T03:40:12.000Z 192.0.2.118 | Phishing kit hosting | 12 | [ws-rh-02] | 2026-06-08T14:51:20.000Z
LOOKUP JOINThreat intelIOCSOC