CIDR Challenge

Can You Group Events by Subnet?

Our final challenge was inspired by a customer request: Can Cribl Stream help us sort incoming events by project group?

In this customer's network, each project group was associated with a given subnet. They wanted to be able to sort the millions of intermingled events in their NetFlow logs into different indexes, so that only members of a given project group could view those events.

Further, they wanted to filter out events that were not sent from any of their project groups – saving significantly on both their infrastructure and their licensing costs.

In order to accomplish this in Cribl Stream, we leveraged the Lookup Function's ability to key off of CIDR ranges. In the example we'll work on here, their network is divided into four subnets, each associated with a given team. We will use:

• The Parser Function, to parse comma-separated Netflow events into fields.
• The Lookup Function, in CIDR mode, to match events with the correct subnet and team.
• The Eval Function, to add the index field to each event's metadata, for correct storage once it reaches a SIEM.
• Finally, the Drop Function, to drop events not related to a given team.