Hi we currently consuming threat intelligence data and want to correlate this in Splunk in a good way.
The problem is that some of the feeds deliver IP addresses in the format of ip-ip and not ip/subnet.
How can i make Splunk look at ip-ip as individual IP addresses to match against our firewall logs?
Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100
You can use the following:
index=firewall |table fwsrc
|append [index=threat |table threatip ]
|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip endip
|eventstats values(startip) as startip values(endip) as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")
Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.
Another working approach would be converting all the ranges to a where clause in subsearch:
index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\"" |return 10000 $where]
The subsearch here assembles the table:
threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100
into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")
Then, the |where command is using this string to filter the results.
Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100
You can use the following:
index=firewall |table fwsrc
|append [index=threat |table threatip ]
|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip endip
|eventstats values(startip) as startip values(endip) as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")
Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.
Another working approach would be converting all the ranges to a where clause in subsearch:
index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\"" |return 10000 $where]
The subsearch here assembles the table:
threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100
into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")
Then, the |where command is using this string to filter the results.
Assuming the ip field looks like this:
"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1"
You can convert it to multivalue field, and then expand to rows:
|makemv delim="-" ip |mvexpand ip
"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" ->
ip
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1
Full example:
| makeresults count=1 |eval ip="192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" |table ip
|makemv delim="-" ip |mvexpand ip
The ip Field looks like this
192.168.3.35-192.168.3.47
I don't think think the answer apply to this.
But im not a splunk superman yet
Ok I understand the range is |fromip-toip"
I will post new answer according to this
What's the different from your example:
192.168.3.35-192.168.3.47
To my example:
192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1