QUESTION

Does cidr: "any" in Panther support bare IP addresses without CIDR notation?

ANSWER

No. The validate: cidr: any validator requires strict CIDR notation. Every value must include a prefix length (e.g. 1.2.3.4/32, 10.0.0.0/24, 2001:db8::1/128). A bare IP address without notation (e.g. 10.2.3.5) will cause a classification error:

Failed to classify event as 'Custom.Test': 'address' is not a valid CIDR block

Depending on your data, you can use one of the following approaches:

• If all values in your lookup table are in CIDR notation:

- name: address
  type: string
  validate:
    cidr: "any"

• If your data contains only bare IP addresses (no CIDR notation):

- name: address
  type: string
  validate:
    ip: "any"

If your data mixes bare IPs and CIDR ranges and you cannot normalise upstream, drop the cidr validator and use the ip indicator instead:

- name: address
     type: string
     indicators:
       - ip