Versions Compared

Version Old Version 1 New Version Current
Changes made by

Borja Moro Moreno

Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typeflat
printabletrue

Overview

This feature allows you Lookups can be used to easily correlate IP addresses with CIDR ranges (net4 and net6), making lookups an even more powerful tool with even more contexts of use. This functionality enhances your ability to analyze and visualize network activity by linking identifying and classifying IPs to their corresponding office locationsaccording to the CIDR range they belong to.

Use cases

This feature is particularly useful for network monitoring and incident response, as it allows users to quickly identify the geographical or organizational context of network activity. By correlating IP addresses with office locations, teams can enhance their operational awareness and response capabilities.

How it works

This feature uses a lookup table to match IP addresses from logs against predefined CIDR rangesIn this use context, a different operation is transparently used to find matches. Instead of using the equal operation as in the regular use of lookups, it uses the is in operation to find an IP within a range of CIDR values. For example, when an IP address falls within a specific range, the associated match value is returned, providing immediate context for network activity.

Example Query

Here’s how to implement this feature using a query:
from

Info

Only for newly created lookups

Query example

You can use the Lookup (lu) operation to enrich your data with the following lookup:

  • Lookup name: internet_providers

  • Lookup fields: cidr (key), network_name

This is the required syntax for the enrichment using the lookup above:

Code Block
from siem.logtrust.web.activity

...


select ip4(srcHost)

...

Explanation

1 Extracting IPs**: The query extracts IP addresses from the `srcHost` column and uses the `ip4()` function to handle IPv4 addresses. You can also specify IPs directly, as shown with `ip_of_john_activity` and `ip_of_carl_activity`.

2. **Lookup Functionality**: The `lu/offices_fake4` lookup function is employed to match the extracted IPs against the CIDR ranges in the lookup table. If an IP address falls within a defined CIDR range, the corresponding office name is returned.

Sample Output

The results from this query will indicate which office each IP address is associated with. For example, if `100.63.39.51` belongs to the range in the lookup, the output will return “office_madrid.”

Use Cases

...

 as IP4
select lu("internet_providers", "network_name", IP4) as network_name

The values in the network_name lookup field will be brought into your table when the values in the IP4 field fall within the range of the CIDR field. When they do not, null will be returned.

...