Versions Compared

Version Old Version 1 New Version 2
Changes made by

Borja Moro Moreno

Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typeflat
printabletrue

Overview

This feature allows you to easily correlate IP addresses with CIDR ranges (net4 and net6). This functionality enhances your ability to analyze and visualize network activity by linking IPs to their corresponding office locations.

How it works

This feature uses a lookup table to match IP addresses from logs against predefined CIDR ranges. For example, when an IP address falls within a specific range, the associated match is returned, providing immediate context for network activity.

...

Query

...

example

Code Block
from siem.logtrust.web.activity

...


  select ip4(srcHost) as ip_home_tomas

...


  select `lu/offices_fake4`(ip_home_tomas) as where_is_tomas  select ip4(“100.63.39.51”) as ip_of_john_activity

...


  select `lu/offices_fake4`(ip_of_john_activity) as where_is_john  select ip4(“120.20.20.20") as ip_of_carl_activity

...


  select `lu/offices_fake4`(ip_of_carl_activity) as where_is_carl

Explanation

...

  • Extracting IPs

...

  • :

...

  • the query extracts IP addresses from the

...

  • srcHost column and uses the

...

  • ip4()

...

  • function to handle IPv4 addresses. You can also specify IPs directly, as shown with

...

  • ip_of_john_

...

  • activity and

...

  • ip_of_carl_

...

  • activity.

...

  • Lookup Functionality

...

  • :

...

  • the `lu/offices_fake4` lookup function is employed to match the extracted IPs against the CIDR ranges in the lookup table. If an IP address falls within a defined CIDR range, the corresponding office name is returned.

Sample Output

  • The results from this query will indicate which office each IP address is associated with. For example, if`100.63.39.

...

  • 51 belongs to the range in the lookup, the output will return

...

  • office_madrid.

...

Use

...

cases

This feature is particularly useful for network monitoring and incident response, as it allows users to quickly identify the geographical or organizational context of network activity. By correlating IP addresses with office locations, teams can enhance their operational awareness and response capabilities.Start leveraging this powerful new feature today to improve your network analysis!