Detecting inital of breach

Hello, im currently working on a project where i have to find indicators of compromise and report to my supervisor. Im able to pin point when exactly event is happening but dont know how to figure out which IP address are internal from the external. Can someone assist? Im new to kibana.

Internal IP ranges are defined as (IPv4 Private Address Space and Filtering - American Registry for Internet Numbers):

  • 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
  • 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
  • 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Everything outside of those IPv4 addresses would be considered external.

Depending on what datasets you have, you would likely be looking to use some of the ECS fields for your searching. Below are examples that I have used for investigations. I would also recommend referencing the Elastic docs - Discover | Kibana Guide [8.14] | Elastic.

  • source.ip:10.0.0.0/8
  • destination.ip:10.0.0.0/8
  • related.ip:10.0.0.0/8

Hopefully this helps!

1 Like