Example: Using Unified IPv4 IAAS Providers List

In this example, you explore using the Unified IPv4 IAAS Providers against a Dataset that contains IPv4 addresses.

This example displays Tor Nodes hosted on common Infrastructure As A Service (IAAS) providers.

The tutorial covers the following topics:

Open Dan’s Tor Nodes IPs as Worksheet

Start with the Explore/Datasets view on your Observe instance.

Datastreams View Threat Lists

Figure 1 - Threat Datastreams View

  1. Click on Open in Worksheet Icon next to Dan’s Tor Nodes IPS.

Open in Worksheet

Figure 2 - Open Dan’s Tor Nodes IPS in Worksheet

Match Data to Unified IP IAAS Providers

  1. Rename the Stage to IP Address IAAS Matches.

  2. Open the OPAL console.

  3. Click Inputs.

  4. Search for and add the Unified IPv4 IAAS Providers.

  5. Note the name of the added Input to use it in the leftjoin section.

Inputs Unified IPv4 IAAS Providers

Figure 3 - Inputs Unified IPv4 IAAS Providers

6. Click the OPAL tab and update using the following code:

// make a src_64 field to be the integer representation of the IPv4 Address
make_col src_64:int64(ipv4(IP))

// Make an integer64 representation of the first 16 bits for a lookup key
make_col src_prefix_mask:floor(int64(ipv4(IP))/pow(2, 16),0)

// Use the Public IP resource set to enrich our data
// join on checking the first 16 bits of the IP is equal to the IOC first 16 bits. This lookup key ensures performance.
// then AND check the integer64 of the IP Address is within the start/end range of the IOC to match
leftjoin on (src_prefix_mask = @"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ip_prefix_mask and (src_64 >= @"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ipv4_range_start and src_64 <= @"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ipv4_range_end)),
    iaas_provider:@"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_provider,
    iaas_ip_prefix:@"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ip_prefix,

// Filter to matches to confirm IAAS data
filter not is_null(iaas_provider)

6. Click Run.

Matched Unified IPv4 IAAS Providers

Figure 4 - Matched Unified IPv4 IAAS Providers