Network Toolkit includes custom lookups that can be used to get information on hosts within events. The lookups provided are:
Below are some examples of running these commands (each example the field containing the field you want to lookup is in field ):
... | lookup whois host as host_to_lookup | table _raw host raw updated_date nameservers registrar whois_server query creation_date emails expiration_date status id
... | lookup ping host as host_to_lookup | table _raw host sent received packet_loss min_ping max_ping avg_ping jitter return_code raw_output
... | lookup traceroute host as host_to_lookup | table _raw host return_code raw_output hops
... | lookup nslookup host as host_to_lookup | table _raw aaaa a mx ns server
(dest=10.0.0.6 OR dest=10.0.1.11) | stats count by dest | eval ports="80,443,8000" | lookup portscan host as dest ports | table ports dest open_ports closed_ports
You will need to make sure that the ports field is defined as the list of ports to scan if you do not want to use the defaults.