Splunk Search

Matching an IP address from a lookup table of CIDR ranges

jwalzerpitt
Influencer

I am trying search events where the destination IP is in a lookup table consisting of a list of CIDR ranges (and three other columns that note the zone, firewall, and context), and I'm having issues getting output to return the subnets that matched the SRC and destination IPs. My search is as follows:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match

I followed the info from the link - https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html, but the events are returned with the Host IP field and the ip_match field, but the value for the ip_match field is "NONE".

What I'm trying to do is have each Host IP compared to the CIDR range, which then when it matches, pulls the other three fields so I can create a table that identifies the location of each system.

Thx

0 Karma
1 Solution

woodcock
Esteemed Legend

You are copying the other answer too closely. Do copy the setup parts but run your search like this:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
| lookup ip_cidr cidr_range AS dest
| rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

View solution in original post

woodcock
Esteemed Legend

You are copying the other answer too closely. Do copy the setup parts but run your search like this:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
| lookup ip_cidr cidr_range AS dest
| rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

jwalzerpitt
Influencer

The only issue left is that the zone/context have multiple values listed and not just the singular value for zone/context. Not sure why it's pulling multiple values for zone and context when the IP is only part of just one zone/context.

Thx

0 Karma

woodcock
Esteemed Legend

OK, if this fixed it for you, please do click Accept to close the question.

0 Karma

jwalzerpitt
Influencer

Thx for the clarification. The search produced results, but for the other three fields of the lookup table - zone, firewall, context, each shows a value of "none".

How can I modify the search to populate the three fields so that I'm able to trace the user to their zone, firewall, and context?

Thx

0 Karma

jwalzerpitt
Influencer

Really weird - after following around with the search I finally got it to run. I had this originally:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
 | lookup ip_cidr cidr_range as "Host IP" 
 | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

and the zone, firewall, and context fields were set to "None". However, there was another field - IP_Address - and I changed the search to:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found"
 | lookup ip_cidr cidr_range as IP_Address 
 | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name"

and the zone, firewall, and context fields are populated with the relevant information.

Thx again for the help!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...