Example: Using Unified IPv4 IAAS Providers List

In this example, you explore using the Unified IPv4 IAAS Providers against a Dataset that contains IPv4 addresses.

This example displays Tor Nodes hosted on common Infrastructure As A Service (IAAS) providers.

Open Dan’s Tor Nodes IPs as Worksheet

Start with the Explore/Datasets view on your Observe instance.

  1. Click on Open in Worksheet Icon next to Dan’s Tor Nodes IPS.

Match Data to Unified IP IAAS Providers

  1. Rename the Stage to IP Address IAAS Matches.

  2. Open the OPAL console.

  3. Click Inputs.

  4. Search for and add the Unified IPv4 IAAS Providers.

  5. Note the name of the added Input to use it in the leftjoin section.

  6. Click the OPAL tab and update using the following code:

// make a src_64 field to be the integer representation of the IPv4 Address
make_col src_64:int64(ipv4(IP))
// Make an integer64 representation of the first 16 bits for a lookup key
make_col src_prefix_mask:floor(int64(ipv4(IP))/pow(2, 16),0)

// Use the Public IP resource set to enrich our data
// join on checking the first 16 bits of the IP is equal to the IOC first 16 bits. This lookup key ensures performance.
// then AND check the integer64 of the IP Address is within the start/end range of the IOC to match
leftjoin on (src_prefix_mask = @"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ip_prefix_mask and ipv4_address_in_network(src,@"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ipv4_prefix)),
    iaas_provider:@"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_provider,
    iaas_ip_prefix:@"Threat Intel Basic/Unified IPv4 IAAS Providers".iaas_ip_prefix,

// Filter to matches to confirm IAAS data
filter not is_null(iaas_provider)
  1. Click Run.

You may also find it useful to enrich the data with lookup_ip_info at this time, in order to use geographic information in a later dashboard or monitor.