I am trying to create an ES|QL query that will match firewall records with a source.ip field against subnets listed as CIDR in a lookup table. Basically I’m trying to find events that originate from certain CIDR blocks.
This is as close as I got:
from "logs-panw*" | where rule.name == "BLOCKED MFN OUTBOUND"
|lookup JOIN "air-byod-network" on source.ip
where both the logs-panw* and the air-byod-network indices contain a field named source.ip.
In the panw index it is an ip field, and in the air index it is an ip_range field. But this gave me an error message:
[esql] > Unexpected error from Elasticsearch: verification_exception - Found 1 problem line 2:36: Cannot use field [source.ip] with unsupported type [ip_range]
Is this because the two fields in the join have to be the same type?
Any ideas on how to perform this sort of join/lookup between an Ip address and a CIDR block?
Yeah, that’s not going to work for us. We have about a hundred subnets we need to match against, and the subnets change, so creating and maintaining thousands of individual IP records is not going to happen.
(remember to re-execute the policy every time the contents of the lookup index (air-byod-network in my case) changes.
They by using this ES|QL I was able to filter on just the firewall events that did not happen on my byod networks:
from "logs-panw*" | where rule.name == "BLOCKED MFN OUTBOUND"
| ENRICH byod-networks ON source.ip
| WHERE name is null
that is, the field “name” will be null when the source.ip address in the firewall log does not match one of the CIDR ranges in the lookup index field source.ip
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.