Rule Creation and CIDR Notation
Classless inter-domain routing (CIDR) notation is a shorthand representation of a range of IP addresses and their associated routing prefix. CIDR notation format is an IP address, a forward slash character, and an integer. For example:
1.1.1.1/24The Threat Stack Cloud Security PlatformⓇ (CSP) supports rule creation using CIDR notation. The following Rule fields support CIDR notation:
| Event Field | Field Type |
|---|---|
| src_ip | Linux Host, Windows Host |
| connection.addr | Audit, Threat Intel |
| connection.dst_addr | Audit, Threat Intel |
| connection.src_addr | Audit, Threat Intel |
| dst_ip | Windows Host |
| dstIpv6 | Windows Host |
| srcIpv6 | Windows Host |
Note
If you query CIDR notation on a field that does not support it, then your rules evaluate as false on that field.
Sample CIDR Notation Event Queries
IPv4
An alert triggers when an event contains a value in the source IP address field that falls within the specific CIDR range:
srcIp = "192.168.1.1/32"Connection.addr
An alert triggers when an event contains a value in the connection IP address field that falls outside of a specific CIDR range:
srcIp != "192.168.1.1/32"Have more questions? Submit a request