Thanks a lot for pointers

We did manage to extract the json and parse/convert it to produce a simple CSV lookup in Splunk.

We have 2 fields and it is quite easy (Ip_Range/Network_Name).

Only problem we have so far is that despite using the "CIDR(Ip_Range)" match type in the lookup definition, it doesnt match any IP which has the subnet behind.

For example:

158.64.79.14 would match 158.64.79.14 in the csv, but not 158.64.79.14/32 (do not even ask for network ranges)

Is there anything to do about this ?

Query is quite simple:

index="msexchange" | stats count by xff | lookup cloudproviders_lookup Ip_Range as xff OUTPUTNEW Network_Name

Just what I am looking for!

Can you share any of your code for the creating the lookup table from the JSON?

Sure, I will dig on the scripts tomorrow.

Short story: from the JSON I retrieve (wget/curl), I create an ordered CSV file which is dynamic and imported into splunk. I can give you some lines to render the JSON into CSV if that may be useful?

I might even make a short LinkedIn article about that because the more I talk about this, the more people are surprised to learn that outlook mobile traffic is proxified by MS (so it is fairly difficult to say if an ip source is suspicious or not).

What bothers me is that if someone uses outlook mobile, you are not even able to know the actual location of the fellow (he might use a VPN also yeah, but at least not merged in the MS ip...)

Even the code you have for that move from the JSON to CSV would be great. I think I might try to make an app that does this activity, and updates a lookup for all the cloud providers.

Yes, MS does make it confusing often, there might be fewer use cases than I imagine with the data set. Good to start digging though.

If you do a linkedin article post the link 🙂 

Nothing too fancy... (and not optimized for bash gurus :p)

#!/bin/bash
TIMESTAMP=$(date '+%Y%m%d%H%M%S')
URL="https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7"
OUTPUTFILE="${TIMESTAMP}_MappingAllNetwork"

echo "Retrieving Microsoft IPs:"
curl "${URL}" > "${OUTPUTFILE}_raw"
jq . "${OUTPUTFILE}_raw" > "${OUTPUTFILE}_json" && rm "${OUTPUTFILE}_raw"
egrep -o '[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+/[0-9]+' "${OUTPUTFILE}_json" | sort -un -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | grep -o '^[^#]*' | sed 's/$/,EXTERNAL,WIRED,CLOUD PROVIDERS/' > "${OUTPUTFILE}_sorted" && rm "${OUTPUTFILE}_json"

We produce a csv as follows: IpRange,Zone,Type,Site

So this is why you see "EXTERNAL, WIRED, CLOUD PROVIDERS" 🙂

We found out, it was because the directive in the lookup was CIDR([Ip_Range]) and not CIDR(Ip_Range)

I found this list too - IPs of all 365 services:

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a...