Skip to main content
Solved

Searching for logs using subnet filter in UDM

  • January 2, 2026
  • 3 replies
  • 47 views
JoeBuilder1968
Forum|alt.badge.img

Best answer by cmorris

Please ty the net.ip_in_range_cidr function - https://docs.cloud.google.com/chronicle/docs/detection/yara-l-2-0-functions/net-ip_in_range_cidr

    3 replies

    cmorris
    Staff
    Forum|alt.badge.img+11
    • cmorris
    • Staff
    • Answer
    • January 5, 2026

    Please ty the net.ip_in_range_cidr function - https://docs.cloud.google.com/chronicle/docs/detection/yara-l-2-0-functions/net-ip_in_range_cidr

      JoeBuilder1968
      Forum|alt.badge.img
      • JoeBuilder1968
      • Author
      • New Member
      • January 26, 2026

      Here is the exact syntax I had to use.

      net.ip_in_range_cidr($e.principal.ip, "192.0.2.0/24")

      But I could not combine it using AND

      I had to apply and run the search and then filter on other fields.

       

      Does anyone know how I can combine in

      cmorris
      Staff
      Forum|alt.badge.img+11
      • cmorris
      • Staff
      • January 26, 2026

      Can you try something like this? Please adjust event_type, port, and CIDR as needed.

      metadata.event_type = "NETWORK_CONNECTION"
      target.port = 80
      net.ip_in_range_cidr(principal.ip, "192.168.0.0/16")

      The query above works on my tenant and returns results here:
       

       

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.