How to display the source ip which does not fall u...

Pooja_R · ‎08-03-2022

I have a lookup table with allowed CIDR ranges.

allowed_cidr_range applications

Xyx abc

I need to build a alert whenever source ip does not belong to the allowed cidr range.

Query :

NOT [| lookup cidr_vpc.csv allowed_cidr_range as src_ip output allowed_cidr_range]

|table _time,host,sourcetype,src_ip,dst_ip

ITWhisperer · ‎08-03-2022

Try something like this (assuming the lookup type is defined as being CIDR)

| lookup cidr_vpc.csv allowed_cidr_range as src_ip output applications]
| where isnull(applications)
| table _time,host,sourcetype,src_ip,dst_ip

Pooja_R · ‎08-03-2022

Hi

The lookup table looks something like

allowed_cidr applications

10.7.0.0/16 dev

10.16.0.0/26 non_prod_server

I want to consider allowed_cidr as source ip and display the addresses not in cidrmatch

ITWhisperer · ‎08-03-2022

Look up the src_ip (make sure the lookup definition says CIDR match)

If the lookup finds a match then the src_ip is allowed, therefore, if there is no match applications will be null

| lookup cidr_vpc.csv allowed_cidr as src_ip OUTPUT applications
| where isnull(applications)
| table _time,host,sourcetype,src_ip,dst_ip

How to display the source ip which does not fall under cidr range specified in a lookup table?