EQL cidrmatch issue

hello guys, I created an eql rule for ssh access I wanna match multiple IP ranges but I get this error that the destination.ip field is text and not IP can you please suggest me another way to do that. here's my query {
sequence with maxspan=15m [any where cidrmatch(destination.ip, "", "", "", "", "", "", "", "") and destination.port==22 and event.action=="Allow" ] [any where source.ip not in ("" , "" , "", "","")] }
and here's the error I get :
must be [ip], found value [destination.ip] type [text]

The only workaround I see is to have a filtering with OR and regex to express this cidrmatch, and be aware that this would most probably be significantly slower than a cidrmatch on IP fields.

The best solution is to reindex your data using the correct mapping (data types for your fields).

yeah I used runtime field and it works now thank you.

Nice, haven't thought of that workaround.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.