This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Custom & Reference List in SOAR

Posted on 09-12-2024 03:02 AM
Laxmikant_Nagar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

Wanted to know if Google Chronical & Siemplify integration support CIDR value when used in SOAR with action Reference List & Custom List.

I am trying to check if a given IP address present in particular subnet from the Reference or Custom List and if found take further action accordingly.

When i add the CIDR value in custom and reference list for example 192.168.41.0/24 it get added however when i try to search an IP for example 192.168.41.5 with action Is Value In Reference List and Is In Custom List always get result not found

 
So i am not sure if CIDR value are supported by Custom & Reference List in SOAR.
 
Regards,
Laxmikant

 

1 3 279
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
Ben_T
Staff
Reply posted on --/--/---- --:-- AM

Hi Laxmikant,

Please find the relevant documentation for CIDR reference lists here. I would validate your CIDR entry is in the following form:

If list type is CIDR, Google Security Operations interprets the list lines as Classless Inter-Domain Routing (CIDR) ranges and checks if a field is within any of the ranges in the list. A single CIDR list can mix and match both IPv4 ranges and IPv6 ranges (e.g. 192.0.2.0/24 and 2001:db8::/32), as specified in RFC 4632 and RFC 4291.

Comments begin with double forward slashes, //, and continue to the end of the line. Comments can start on their own line, or can be inline with list content.

The following is an example CIDR reference list content:

 
 
// This is a comment

205.148.5.0/24 // This is an inline comment.
10.130.0.0/16
2002:1234:abcd:ffff:c0a8:101/64

CIDR lists have the following size restrictions:

  • Maximum list size: 0.1MB
  • Maximum number of lines: 150
  • Maximum length of each content line: 5000 characters

https://cloud.google.com/chronicle/docs/reference/reference-lists#cidr_lists

0 Likes

Posted on --/--/---- --:-- AM
Laxmikant_Nagar
Bronze 1
Bronze 1
In response to Ben_T
Reply posted on --/--/---- --:-- AM

Hi Ben,

Thank you for sharing the feedback.

Chronical reference list for CIDR works properly when used in SIEM rule creation, However if same is used in Google SOAR it did not work.

I guess SOAR unable to identify the type of the list as CIDR and fail to match the IP.

Also the SOAR custom list did not work, I added the same CIDR value in it and used in the playbook through action.

Regards,

Laxmikant

0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
Reply posted on --/--/---- --:-- AM

SOAR Custom Lists store data in text, so you wont be able to do CIDR calculations in Custom Lists natively, you can only store the CIDRs

After you retrieve the CIDR(s) from the custom list, you then need to compare, which will likely involve looping. 

SOAR playbooks do not currently support looping, so I think the two routes are:

i) Use TemplateEngine 'render template' to handle looping, though I don't see a simple way to do CIDR analysis

ii) build a custom python Action that takes two inputs (list of CIDR from custom lists, and IP in question),. I just used Bard/Gemini with this "build me a python function that takes a list of CIDR ranges and an IP, and loops through to see if the IP is any of the ranges" and the output looked pretty good

 

0 Likes
Top Solution Authors
View all