Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Overview

Lookups can be used to easily correlate IP addresses with CIDR ranges (net4 and net6), making lookups an even more powerful tool with even more contexts of use. This functionality enhances your ability to analyze and visualize network activity by identifying and classifying IPs according to the CIDR range they belong to.

Use cases

This feature is particularly useful for network monitoring and incident response, as it allows users to quickly identify the geographical or organizational context of network activity. By correlating IP addresses with office locations, teams can enhance their operational awareness and response capabilities.

How it works

In this use context, a different operation is transparently used to find matches. Instead of using the equal operation as in the regular use of lookups, it uses the is in operation to find an IP within a range of CIDR values. For example, when an IP address falls within a specific range, the associated value is returned, providing immediate context for network activity.

Only for newly created lookups

Query example

You can use the Lookup (lu) operation to enrich your data with the following lookup:

  • Lookup name: internet_providers

  • Lookup fields: cidr (key), network_name

This is the required syntax for the enrichment using the lookup above:

from siem.logtrust.web.activity
select ip4(srcHost) as IP4
select lu("internet_providers", "network_name", IP4) as network_name

The values in the network_name lookup field will be brought into your table when the values in the IP4 field fall within the range of the CIDR field. When they do not, null will be returned.

10_IP to CIDR.png

  • No labels