I’ve created an extractor for in input that gets the source IP from httpd log entries. So now I have a field called source_ip_address.
Is there a way I can add an extra field based on the IP address to see if it’s a private IP - our internal range - or else classify it as external? The field would only have two values - Internal or External.
You could write a pipeline rule for that and use a custom lookup table for your private IP range (or use the in_private_net() function from the Threat Intelligence plugin).