Solved: Re: Creating a Lookup for respective cidr ranges

cbrissett · ‎07-12-2021

Hi, I am trying to create a query to highlight when specified accounts are used outside of their corresponding IP range by using a csv Lookup table.

For example, user account 'user1' has signed in from source ip 10.0.0.200 but they are only meant to sign in from 10.0.0.0/25 or 11.0.0.0/25 or 12.0.0.0/25, The csv file would be like follows:

User, allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
User1, 10.0.0.0/25, 11.0.0.0/25, 12.0.0.0/25
User 2, 10.0.0.128/25, 11.0.0.128/25
User 3 10.0.1.0/25

Note that some accounts have a single range, some multiple. Does anyone know how I could make an appropriate Lookup command that will only show user accounts that have been used outside of their designated ip ranges?

kamlesh_vaghela · ‎07-12-2021

@cbrissett

Can you please try this example?

I have used lookup named cidr_lookup.csv with below value.

User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25 
User3,10.0.1.0/25

transforms.conf

[cidr_lookup]
filename = cidr_lookup.csv

Search:

YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source

My Sample Search :

| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" 
| rename comment as "Upto Now is sample data only" 
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) 
| table User source

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎07-12-2021

@cbrissett

Can you please try this example?

I have used lookup named cidr_lookup.csv with below value.

User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25 
User3,10.0.1.0/25

transforms.conf

[cidr_lookup]
filename = cidr_lookup.csv

Search:

YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source

My Sample Search :

| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" 
| rename comment as "Upto Now is sample data only" 
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) 
| table User source

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

cbrissett · ‎07-13-2021

Thanks very much this worked!

Creating a Lookup for respective cidr ranges

eval

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!