I want to be able to find the most vulnerable subnet. I know how to verify if an ip is in a subnet by using the cirdmatch function, but I want to collect subnets into a transaction (or just a collection) and then be able to do a search on these subnets to find which one contains the most number of vulnerabilities.
Any help would be appreciated!
If you have a small number of subnets, you could use a technique like this:
<Vulnerability search> ... | eval subnet=case(cidrmatch("10.0.0.0/24", ip), "Subnet 10.0.0.x", cidrmatch("10.0.0.1/24", ip), "Subnet 10.0.1.x", 0==0, "Unknown subnet") | stats count by subnet
As long as <Vulnerability search>
returns events with an ip
field, this simple technique should work. As far as I know, there's no simple way to automatically group IPs into subnets without actually defining what size of each individual network.
If all of your networks are "/24"s, then you could do something trivial like:
<Vulnerability search> ... | eval subnet=replace(ip, "^(\d+\.\d+\.\d+\).\d+$", "\1.x") | stats count by subnet
But that's about as far as regex tricks will take you. 😞
BTW, if you have a large range of subnets, or want an approach that more generally reusable, then I'd recommend using lookups. See the answer Using CIDR in a lookup table for the specifics on how to set this up in a lookup file.
First of all you need to be able to define what a subnet is...