Deception - how to query for IP range or CIDR

I recently ran into an issue where I needed to query for an IP range and could not find a way to do it due to the operator limitations for attacker.ip. My goal was to delete any alert that came from a particular IP range but couldn’t find a way to do it because the query language doesn’t appear to support CIDR masks or IP ranges. I successfully queried for a single IP but couldn’t work out a range or CIDR. It would be nice to have the operator “begins with” or “contains” if your not going to support CIDR or ip ranges. Am I missing something? Is there a RFE for this feature? Note this was just under investigate at the top query

works
attacker.ip = “x.x.x.x”

doesn’t work
attacker.ip = x.x.x.x/24

I was able to get this answer from support. I hope it helps others.

With regard to your query on using CIDR notation under Investigate, we won’t be able to use the CIDR notation to filter IPs from a specific subnet, however you can use the workaround mentioned below:

For example, if you would like to look for attacker IPs in 10.0.8.0/24,you can use the below condition on Investigate tab:
attacker.ip like /.10.0.8./

If you would want to look for Ips in 10.0.0.0/16 network,you can use the condition below:
attacker.ip like /.10.0./

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.