https://community.splunk.com/t5/Splunk-Enterprise-Security/Omit-IP-addresses-from-SPL/m-p/554375#M9952 <P>What is the best way to omit internal IPs within this SPL? There are a lot of internal source IP hits that come up when running this SPL over the past 60 mins. This is a canned use case that comes with ES.&nbsp;</P><P>ESCU - Protocols passing authentication in cleartext - Rule</P><P>| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port<BR />| `security_content_ctime(firstTime)`<BR />| `security_content_ctime(lastTime)`<BR />| `drop_dm_object_name("All_Traffic")`</P><P>Thank you,</P><P>Tomas</P> Fri, 04 Jun 2021 00:16:01 GMT tkbrown 2021-06-04T00:16:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Omit-IP-addresses-from-SPL/m-p/554375#M9952 <P>What is the best way to omit internal IPs within this SPL? There are a lot of internal source IP hits that come up when running this SPL over the past 60 mins. This is a canned use case that comes with ES.&nbsp;</P><P>ESCU - Protocols passing authentication in cleartext - Rule</P><P>| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port<BR />| `security_content_ctime(firstTime)`<BR />| `security_content_ctime(lastTime)`<BR />| `drop_dm_object_name("All_Traffic")`</P><P>Thank you,</P><P>Tomas</P> Fri, 04 Jun 2021 00:16:01 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Omit-IP-addresses-from-SPL/m-p/554375#M9952 tkbrown 2021-06-04T00:16:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Omit-IP-addresses-from-SPL/m-p/554654#M9958 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/212857">@tkbrown</a>&nbsp; - If you can add a category against all these internal IPs which want to exclude in your assets/identities for ES, you can use the 'src_category' to exclude them in the above rule. Hope this helps.</P> Mon, 07 Jun 2021 10:16:50 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Omit-IP-addresses-from-SPL/m-p/554654#M9958 lakshman239 2021-06-07T10:16:50Z