Created
May 15, 2023 16:17
-
-
Save HarlemSquirrel/c70bd690941799e8e74bb091df993eea to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| ## | |
| # Construct an exclusion search query for Datadog log search for Tenable IP address ranges. | |
| # | |
| # Datadog does not seem to be able to reliably use CIDR notation but | |
| # if we know the start and end of each IP address range we can construct a single compound query. | |
| # Here we retreive the latested published list of IP address ranges and filter that down to | |
| # the short list of regions we care about. | |
| # | |
| # https://docs.tenable.com/tenableio/Content/Settings/Sensors/CloudSensors.htm | |
| # https://docs.datadoghq.com/logs/explorer/search_syntax/ | |
| # | |
| require 'ipaddr' | |
| require 'json' | |
| require 'net/http' | |
| REGIONS = %w[ | |
| us-east-1 | |
| us-east-2 | |
| us-west-1 | |
| us-west-2 | |
| ] | |
| tenable_ip_range_data = JSON.parse(Net::HTTP.get(URI("https://docs.tenable.com/ip-ranges/data.json"))) | |
| dd_ranges = [] | |
| tenable_ip_range_data["prefixes"].each do |prefix_data| | |
| region = prefix_data["region"] | |
| next unless REGIONS.include?(region) | |
| ip_range = IPAddr.new(prefix_data["ip_prefix"]).to_range | |
| dd_ranges << "[#{ip_range.first} TO #{ip_range.last}]" | |
| end | |
| puts "-@network.client.ip:(#{dd_ranges.join(" OR ")})" | |
| # -@network.client.ip:([34.201.223.128 TO 34.201.223.255] OR [44.192.244.0 TO 44.192.244.255] ...) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment