Splunk Search

Creating a Lookup for respective cidr ranges

cbrissett
Engager

Hi, I am trying to create a query to highlight when specified accounts are used outside of their corresponding IP range by using a csv Lookup table.

For example, user account 'user1' has signed in from source ip 10.0.0.200 but they are only meant to sign in from 10.0.0.0/25 or 11.0.0.0/25 or 12.0.0.0/25, The csv file would be like follows:

User, allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
User1, 10.0.0.0/25, 11.0.0.0/25, 12.0.0.0/25
User 2, 10.0.0.128/25, 11.0.0.128/25 
User 3 10.0.1.0/25

Note that some accounts have a single range, some multiple. Does anyone know how I could make an appropriate Lookup command that will only show user accounts that have been used outside of their designated ip ranges?

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@cbrissett 

Can you please try this example?

I have used lookup named cidr_lookup.csv with below value.

User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25 
User3,10.0.1.0/25

 

transforms.conf

[cidr_lookup]
filename = cidr_lookup.csv

Search:

YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source

 

My Sample Search :

| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" 
| rename comment as "Upto Now is sample data only" 
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) 
| table User source

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@cbrissett 

Can you please try this example?

I have used lookup named cidr_lookup.csv with below value.

User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25 
User3,10.0.1.0/25

 

transforms.conf

[cidr_lookup]
filename = cidr_lookup.csv

Search:

YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source

 

My Sample Search :

| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" 
| rename comment as "Upto Now is sample data only" 
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) 
| table User source

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

cbrissett
Engager

Thanks very much this worked!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...