Splunk Search

How to display the source ip which does not fall under cidr range specified in a lookup table?

Pooja_R
Loves-to-Learn Lots

I have a lookup table with allowed CIDR ranges.

allowed_cidr_range      applications

Xyx                                             abc

I need to build a alert whenever source ip does not belong to the allowed cidr range.

Query :

NOT [| lookup cidr_vpc.csv allowed_cidr_range as src_ip output allowed_cidr_range]

|table _time,host,sourcetype,src_ip,dst_ip

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this (assuming the lookup type is defined as being CIDR)

| lookup cidr_vpc.csv allowed_cidr_range as src_ip output applications]
| where isnull(applications)
| table _time,host,sourcetype,src_ip,dst_ip

 

0 Karma

Pooja_R
Loves-to-Learn Lots

Hi

The lookup table looks something  like

allowed_cidr            applications

10.7.0.0/16                 dev

10.16.0.0/26               non_prod_server

I want to consider allowed_cidr as source ip and display the addresses not in  cidrmatch

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Look up the src_ip (make sure the lookup definition says CIDR match)

If the lookup finds a match then the src_ip is allowed, therefore, if there is no match applications will be null

| lookup cidr_vpc.csv allowed_cidr as src_ip OUTPUT applications
| where isnull(applications)
| table _time,host,sourcetype,src_ip,dst_ip
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...