Splunk Search

Matching an IP address from a lookup table of CIDR ranges

Motivator

I am trying search events where the destination IP is in a lookup table consisting of a list of CIDR ranges (and three other columns that note the zone, firewall, and context), and I'm having issues getting output to return the subnets that matched the SRC and destination IPs. My search is as follows:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match

I followed the info from the link - https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html, but the events are returned with the Host IP field and the ip_match field, but the value for the ip_match field is "NONE".

What I'm trying to do is have each Host IP compared to the CIDR range, which then when it matches, pulls the other three fields so I can create a table that identifies the location of each system.

Thx

0 Karma
1 Solution

Esteemed Legend

You are copying the other answer too closely. Do copy the setup parts but run your search like this:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
| lookup ip_cidr cidr_range AS dest
| rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

View solution in original post

Esteemed Legend

You are copying the other answer too closely. Do copy the setup parts but run your search like this:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
| lookup ip_cidr cidr_range AS dest
| rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

View solution in original post

Motivator

The only issue left is that the zone/context have multiple values listed and not just the singular value for zone/context. Not sure why it's pulling multiple values for zone and context when the IP is only part of just one zone/context.

Thx

0 Karma

Esteemed Legend

OK, if this fixed it for you, please do click Accept to close the question.

0 Karma

Motivator

Thx for the clarification. The search produced results, but for the other three fields of the lookup table - zone, firewall, context, each shows a value of "none".

How can I modify the search to populate the three fields so that I'm able to trace the user to their zone, firewall, and context?

Thx

0 Karma

Motivator

Really weird - after following around with the search I finally got it to run. I had this originally:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
 | lookup ip_cidr cidr_range as "Host IP" 
 | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

and the zone, firewall, and context fields were set to "None". However, there was another field - IP_Address - and I changed the search to:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
 | lookup ip_cidr cidr_range as IP_Address 
 | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

and the zone, firewall, and context fields are populated with the relevant information.

Thx again for the help!

0 Karma