QUESTION

How do I add CIDR lookup tables and match them against IP addresses? Currently, we are expanding the CIDR range into the complete list of all IP addresses in the range and using that as the lookup table. However, sometimes these ranges are enormous, especially for IPv6 addresses, making them too large to enumerate.

ANSWER

To do this, you can create a Lookup Table containing the CIDR list. See Panther's Enrichment: Lookup Tables documentation for more information.

Here is an example schema:

validate:
  cidr: "any"

This schema allows you to use CIDR ranges in your Lookup Table dataset, as shown below:

ip_range       | location
---------------+---------------------
130.0.2.0/32   | SanFran Office
156.11.57.0/24 | Berlin Office
25.96.3.0/24   | Hong Kong Data Centre
...

When an IP address, such as 130.0.2.119 is received, it can be correctly enriched as location="SanFran Office".