Is there a way to query for IP ranges from the DeviceEvent table using IP subnet notation i.e. 1.1.1.0/24 vs. listing individual IPs 1.1.1.1?
Instead of list inididual IPs for
| where LocalIP == "1.1.1.1"
I would like to list subnet range "1.1.1.1 - 1.1.1.255" or "1.1.1.0/24"
datatable(LocalIP:string)["1.1.0.255", "1.1.1.0", "1.1.1.179", "1.1.1.255", "1.129.13.42", "2.0.0.0"]
| where ipv4_is_in_range(LocalIP, "1.1.1.0/24")
LocalIP
1.1.1.0
1.1.1.179
1.1.1.255
Fiddle
Related
I'm trying to return results which feature two specific IP addresses, I know if I use the following "AND ip = " and only enter one address it returns those results. I can also use OR and get results which feature either of the two addresses. Unfortunately I can't figure out how to only return results which feature both IP addresses. Any ideas?
Tried "AND ip = ", "AND ip = xxx.xxx.xxx.xxx AND xxx.xxx.xxx.xxx.", "AND ip = (xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx)
I'm trying to check if a field contains a value from a list using Kusto in Log analytics/Sentinel in Azure.
The list contains top level domains but I only want matches for subdomains of these top levels domains. The list value example.com should match values such as forum.example.com or api.example.com.
I got the following code but it does exact matches only.
let domains = dynamic(["example.com", "amazon.com", "microsoft.com", "google.com"]);
DeviceNetworkEvents
| where RemoteUrl in~ (domains)
| project TimeGenerated, DeviceName, InitiatingProcessAccountUpn, RemoteUrl
I tried with endswith, but couldn't get that to work with the list.
It seems that has_any() would work for you:
let domains = dynamic(["example.com", "amazon.com", "microsoft.com", "google.com"]);
DeviceNetworkEvents
| where RemoteUrl has_any(domains)
| project TimeGenerated, DeviceName, InitiatingProcessAccountUpn, RemoteUrl
Note that you can also use the has_any_index() to get which item in the array was matched
In order to correctly match URLs with a list of domains, you need to build a regex from these domains, and then use the matches regex operator.
Make sure you build the regex correctly, in order not to allow these:
example.com.hacker.com
hackerexample.com
hacker.com/example.com
Etc...
I need to include client's IP Address in signature code, by using this code to get client's IP Address:
SELECT client_net_address as IPAdd
FROM sys.dm_exec_connections
WHERE session_id = ##SPID
I can now get the IP Address as:
Ex: 192.168.1.24
How can i reformat it to something like this:
192168001024
I know we can do something like this in C# by using Split, PadLeft and Concat. But is it possible to do it in SQL Server too?
Thank You.
You have to write a function and can call from the query, there is no direct method to convert such notation transformation.
if url_chk_str matches any ip address similar to xxx.xxx.xxx.xxx then do something.
here x denotes any integer value from 0 to 9
url_chk_str is any string in the input data.
For example :- 123.456.789.101
is the above scenario possible in apache pig? if yes how?
Let me know if someone wants any additional information.
You can do like this :
a = load '/path/data' using PigStorage() as (url_chk_str, somethingelse);
b = foreach a generate ((url_chk_str matches '[0-9].[0-9].[0-9].[0-9]') ? value_if_true : value_if_false)
I'm trying to do some log analysis with Logstash.
I need to count unique IPs from an Apache access log, then I need to match them with a count filter, to determine if an email will be sent.
Something like this:
If 10+ access from an unique IP in a 5 minutes interval is found, them I need to send an email with this IP on it.
What would be the best solution for this?
Doing this is surprisingly hard -- to do it you need to create a meter per IP address. Once you have a meter per IP address, you then need to look at it's rate_5m and decide if it's over your threashold (note rate_5m is the per second rate over the last 5 minutes). Once you've decided that you need to send off the alert, you'll probably want to include the IP address in it (so we need to extract that using a ruby filter)... all in all, not sure I'd ever use something like this in production because it would likely chew up memory like crazy (because of the meter per ip address).
filter {
metrics {
meter => "%{ip}"
add_tag => ["metric"]
}
ruby { code => '
ip = nil
if event["tags"].include? "metric"
event.to_hash.each do |key,value|
if key.end_with?(".rate_5m") and value > 0.2
ip = key[0..-9]
end
end
end
if ip
event["ip"] = ip
event["tags"] = ["alert"]
end
'
}
}
output {
if "alert" in [tags] {
email { ... }
}
}
You could probably write a custom filter that is smarter about it using something like the trending algorithm to find IP addresses that are trending higher in count.