Where Did You Come From?

We extracted the Source and Destination IPs, now we need to see what part of the network they are from (so long as they are private IP addresses).

important
  1. Click OK to close the expanded Regex window
  2. Click + Function
  3. Click Lookup (not DNS Lookup)

The idea here is to call that CSV file we uploaded and use it as a Lookup index. We added an IP address and the file contains a correlated piece of information (in this case the administrative name of the CIDR location).

important

Fill out the Lookup Function details:

  1. Replace the True filter with: 
    C.Net.isPrivate(src_ip)
  2. Description: IP address Lookup for SecOps
  3. Lookup file path: security-cidr-lookup.csv
  4. Match Mode: CIDR
  5. Match Type: Most Specific
  6. Lookup Fields
    1. Lookup Field Name in Event: src_ip
    2. Corresponding Field Name in Lookup: cidr
  7. Under Output Fields click + Add field(s) then enter the following:
    1. Output Field Name from Lookup: location
    2. Lookup Field Name in Event: src_subnet_usage
  8. Click Save

Some of that needs explanation. Our filter is checking if the Source IP is a private address (meaning part of ACME corps internal networks). If it is, we open Ed’s file looking for the most specific subnet (CIDR / Most Specific) in the cidr column inside the file. Then we output the corresponding location from the file into a new field in the event titled src_subnet_usage.

Basically, Ed wants a quick way to check which internal network the traffic is coming from when the data eventually finds its way into our SIEM.

Regex Extract FunctionLookup - Destination