Event Search and CIDR Notation

Classless inter-domain routing (CIDR) notation is a shorthand representation of a range of IP addresses and their associated routing prefix. CIDR notation format is an IP address, a forward slash character, and an integer. For example:

1.1.1.1/24

The Threat Stack Cloud Security PlatformⓇ (CSP) supports queries to confirm whether or not a specific IPv4 or IPv6 IP address falls within a CIDR block. You perform these queries with the = (include) and/or != (exclude) operators. The following Event fields support CIDR notation queries:

Event Field Field Type
src_ip Linux Host, Windows Host
connection.addr Audit, Threat Intel
connection.dst_addr Audit, Threat Intel
connection.src_addr Audit, Threat Intel
dst_ip Windows Host
dstIpv6 Windows Host
srcIpv6 Windows Host

Note

If you query CIDR notation on a field that does not support it, then your search results return no values.

Sample CIDR Notation Event Queries

IPv4

The returned value for the following query is true when your source IP address falls within a specific CIDR range:

srcIp = "192.168.1.1/32"

The returned value for the following query is true when your source IP address falls outside of a specific CIDR range:

srcIp != "192.168.1.1/32"

IPv6

The returned value for the following query is true when your source IP address falls within a specific CIDR range:

srcIp = "2001:db8::/63"

The returned value for the following query is true when your source IP address falls outside of a specific CIDR range:

srcIp != "2001:db8::/63"
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request