We are blocking a list of different known malicious IP ranges on our checkpoint firewalls. We do receive the syslog info from checkpoint just fine. How can I search for all of the different ranges and put them into a dashboard?
You can also search for cidr blocks in lookups. One approach would be to keep that list of known malicious IP ranges in a CSV lookup (Could be a database and pull it with DBX..)
Configure cidr based lookups.. In transforms, you need to configure the cidr field..
[badipranges] filename = badipranges.csv max_matches = 1 min_matches = 1 default_match = OK match_type = CIDR(badiprange)
Note that CIDR(badiprange) tells Splunk which field is in CIDR notation.
You can then run your lookups against this list.