Private IP addresses commonly need to be filtered out to make reporting and alerting less noisy and more precise. For example, let’s say you have the following query to parse out IP addresses and show Geo Location information in a table:
- This uses the Parse Regex and the Geo Lookup operator
- For more info on parsing see here
_sourceCategory=prod/app
// first, parse out the fields you need
| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
// Use Geo Lookup to get lat, long, and other geo-information in public IPs
| lookup latitude, longitude, country_code, country_name, region, city, postal_code fromgeo://location
on ip = dest_host
| count by latitude, longitude, country_code, country_name, region, city, postal_code
The problem is that some of these IP addresses are private, so you may want to filter them out:
To filter out IPs, you can use a Where Operator along with the isPrivateIP operator to filter out “Private” IPs:
| where !isPrivateIP(ip_address)
We now add the above line right after the parse statement into our query:
_sourceCategory=prod/app
// first, parse out the fields you need
| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) "
| where !isPrivateIp(ip_address)
// Use Geo Lookup to get lat, long, and other geo-information in public IPs
| lookup latitude, longitude, country_code, country_name, region, city, postal_code fromgeo://location
on ip = dest_host
| count by latitude, longitude, country_code, country_name, region, city, postal_code
We are then able to create dashboard panels or alerts with Public-only IP addresses:
Note: This example does not include reserved IP address ranges which will not return Geo-information when using the Geo Lookup operator
Comments
0 comments
Please sign in to leave a comment.