08-07-2021 05:18 AM
Hi, I'm trying to build XQL queries that target internal vs external IP ranges.
This is easy in the normal query builder with 10.0.0.0/8|172.16.0.0/12|192.168.0.0/16 but I'm not able to re-create this in XQL.
dataset = xdr_data
| filter event_type = NETWORK
| filter action_remote_ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
I tried this to look for external connections but I still get results in those ranges so I think it's string matching instead of using the CIDR. I could do this by string matching but this doesn't scale well for some IP ranges.
I also looked at the 2 CIDR functions incidr and incidrlist however these have a different use case.
Does anyone know if this is possible? If so can you show me the syntax?
Thanks,
John.
08-11-2021 09:50 AM
I think your search can be accomplished by using this filter setup:
dataset = xdr_data
| filter event_type = NETWORK
| alter remote_10 = incidr(action_remote_ip,"10.0.0.0/8")
| alter remote_172 = incidr(action_remote_ip,"172.16.0.0/12")
| alter remote_192 = incidr(action_remote_ip,"192.168.0.0/16")
| filter remote_10 = false and remote_172 = false and remote_192 = false
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
