Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I Add a cidr filter to the existing correlation rule?

Treize
Engager
‎06-27-2022 07:54 PM

Hi, I am a beginner.
I have a correlation rule that :
- searches for IP addresses that are port scans
- search in the lookup table, if each IP address is not listed
- if an IP address is not in the lookup table: make an alert in ES
- add this IP in the lookup table (to avoid duplicates)

I have two lookup tables :
- scan_port.csv
- network_provider.csv

Now I would like to filter the IP addresses by a lookup table (a list of cidr ranges : "network_provider.csv").
If possible, this filter would be first in this correlation rule, to avoid adding a filtered IP in the lookup table "scan_port.csv".

The priority is to:
- Find the port scan of the IPs
- Filter IPs (by the lookup table "network_provider")
- Check for duplicates (by the lookup table "scan_port")
- Make an alert
- Add the IP in the search table (port scan)

As I said, I have a correlation rule for port scans that has been working for years.
I would like to add the filter by cidr range. I have the command (cidrmatch) that works for the filter.
But I can't get it to work, between the port scan lookup and the two lookup tables, I can't find a solution.

Any ideas?
Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-27-2022 11:20 PM

@Treize - You can have something like this:

<your-query>
| search NOT [| inputlookup network_provider.csv | table network_ip_range | rename network_ip_range as src_ip]  --> Filter IPs (by the lookup table "network_provider")
| search NOT [| inputlookup scan_port.csv | table src_ip]  --> Check for duplicates (by the lookup table "scan_port")
| appendpipe [| table src_ip | outputlookup append=true scan_port.csv]  --> Add the IP in the search table (port scan)

--> You will have rest of the results left here and ES will generate alert for it according to correlation search rules

Assumptions: (Make changes to query accordingly)

* IP field in your data and scan_port.csv lookup is src_ip

* IP range field in your network_provider.csv lookup is network_ip_range.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-27-2022 11:20 PM

@Treize - You can have something like this:

<your-query>
| search NOT [| inputlookup network_provider.csv | table network_ip_range | rename network_ip_range as src_ip]  --> Filter IPs (by the lookup table "network_provider")
| search NOT [| inputlookup scan_port.csv | table src_ip]  --> Check for duplicates (by the lookup table "scan_port")
| appendpipe [| table src_ip | outputlookup append=true scan_port.csv]  --> Add the IP in the search table (port scan)

--> You will have rest of the results left here and ES will generate alert for it according to correlation search rules

Assumptions: (Make changes to query accordingly)

* IP field in your data and scan_port.csv lookup is src_ip

* IP range field in your network_provider.csv lookup is network_ip_range.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

Reply
Solved! Jump to solution

Treize
Engager
‎06-28-2022 01:02 PM

@VatsalJagani 

Incredible! You are amazing 😃
I've been searching for 4 days. I am really newbie to this...

Thank you very much, besides solving my problem you just taught me a new way to use SPL, I have to redo my logic.

Thanks again.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-28-2022 08:46 PM

@Treize - Yeah. It's called Sub-search. (search within search - anything between [] square brackets)

* It has many use-cases. This is one of that (is to use it to update search query, if you open the job-inspector you will see the generated search query after the replacement of results of the sub-search.

* Useful with other commands like, append, join, etc.

* Use it wisely because to keep performance intact sub-searches are subject to many limits, like max time to run, max results (50k by default), etc.

* Usually for me your use-case is perfect to describe how/where to use the sub-searches.

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...