Hi, I am trying to create a query to highlight when specified accounts are used outside of their corresponding IP range by using a csv Lookup table.
For example, user account 'user1' has signed in from source ip 10.0.0.200 but they are only meant to sign in from 10.0.0.0/25 or 11.0.0.0/25 or 12.0.0.0/25, The csv file would be like follows:
User, allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
User1, 10.0.0.0/25, 11.0.0.0/25, 12.0.0.0/25
User 2, 10.0.0.128/25, 11.0.0.128/25
User 3 10.0.1.0/25
Note that some accounts have a single range, some multiple. Does anyone know how I could make an appropriate Lookup command that will only show user accounts that have been used outside of their designated ip ranges?
Can you please try this example?
I have used lookup named cidr_lookup.csv with below value.
User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25
User3,10.0.1.0/25
transforms.conf
[cidr_lookup]
filename = cidr_lookup.csv
Search:
YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source
My Sample Search :
| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1"
| rename comment as "Upto Now is sample data only"
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Can you please try this example?
I have used lookup named cidr_lookup.csv with below value.
User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25
User3,10.0.1.0/25
transforms.conf
[cidr_lookup]
filename = cidr_lookup.csv
Search:
YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source
My Sample Search :
| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1"
| rename comment as "Upto Now is sample data only"
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Thanks very much this worked!