We are blocking a list of different known malicious IP ranges on our checkpoint firewalls. We do receive the syslog info from checkpoint just fine. How can I search for all of the different ranges and put them into a dashboard?
You can also search for cidr blocks in lookups. One approach would be to keep that list of known malicious IP ranges in a CSV lookup (Could be a database and pull it with DBX..)
Configure cidr based lookups.. In transforms, you need to configure the cidr field..
[badipranges]
filename = badipranges.csv
max_matches = 1
min_matches = 1
default_match = OK
match_type = CIDR(badiprange)
Note that CIDR(badiprange) tells Splunk which field is in CIDR notation.
You can then run your lookups against this list.
Is the block list known to Splunk, either in a CSV file or SQL database?
It is not in a csv. I could find those ranges in a csv.