create lookup for blacklisted ip address

asharma21193 · ‎06-22-2020

I am trying to write a correlation search where I want that if any of host from my internal network (10.0.0.0/8) as a source or destination communicates to any host exist inside the list of blacklist subnet/ip address as mentioned below:

47.114.37.0/24 49.85.84.0/24 61.111.20.129/32 62.217.245.69/32 109.166.202.229/32

alonsocaio · ‎06-22-2020

Hi,

You can try to use some simple search like:

index=NETWORK_INDEX src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32)
| stats count by src_ip, dest_ip

Or using Network Traffic data model:

| from datamodel:Network_Traffic.All_Traffic
| search src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32)
| stats count by src_ip, dest_ip

A best approach you can use is using lookups.

If you have a lookup table with fields similar to IP and STATUS, It is possible to create a lookup definition.

Supposing you have the lookup below, you can create a lookup definition named ip_blacklist:

ip,status
47.114.37.0/24,blacklist
49.85.84.0/24,blacklist
61.111.20.129/32,blacklist
62.217.245.69/32,blacklist
109.166.202.229/32,blacklist

After that, you can use the lookup and its fields in your search:

index=NETWORK_INDEX src_ip=10.0.0.0/8
| lookup ip_blacklist ip as dest_ip OUTPUT status
| where status="blacklist"
| stats count by src_ip, dest_ip

Or using Network Traffic data model:

| from datamodel:Network_Traffic.All_Traffic
| search src_ip=10.0.0.0/8
| lookup ip_blacklist ip as dest_ip OUTPUT status
| where status="blacklist"
| stats count by src_ip, dest_ip

create lookup for blacklisted ip address

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!