Alerting

How to set up an alert trigger to block traffic for IP addresses?

Miky
Explorer

Hi Splunkers,

I'm trying to set an alert condition to block traffic for IP addresses from 13.108.0.0 to13.111.255.255 and from 66.231.70.0  to 66.231.85.255, but I'm really stuck is there anybody can help please?

My query below:

 

| tstats count values(All_Traffic.app) AS app values(All_Traffic.dvc) AS devicename values(All_Traffic.src_zone) AS src_zone values(All_Traffic.dest_zone) AS dest_zone from datamodel=Network_Traffic where All_Traffic.action=blocked All_Traffic.src_ip IN (*) All_Traffic.dest IN (13.108.0.0 13.111.255.255 OR 66.231.80.0 66.231.95.255) All_Traffic.dest_port IN (*) by _time,All_Traffic.action,All_Traffic.src_ip, All_Traffic.dest ,All_Traffic.dest_port ,All_Traffic.transport,All_Traffic.rule,sourcetype | rename All_Traffic.* AS * | sort - _time limit=0 | fields - count | rename rule as policy,src_ip AS src | eval action=case(action="teardown","drop",1=1,action)

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Does your data have all of the fields you're asking tstats to count?  If not then you'll get a zero for everything.

Use a non-tstats query to test for the presence of fields.

| from datamodel:Network_Traffic 
| search action=blocked src_ip IN (*) dest IN (13.108.0.0 13.111.255.255 OR 66.231.80.0 66.231.95.255) dest_port IN (*)
| fields app devicename src_zone dest_zone action src_ip dest dest_port transport rule
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Miky
Explorer

The result I'm getting is 0 what I want to do is just to set up the range of IP addresses to be blocked whenever one of them used.

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Does your data have all of the fields you're asking tstats to count?  If not then you'll get a zero for everything.

Use a non-tstats query to test for the presence of fields.

| from datamodel:Network_Traffic 
| search action=blocked src_ip IN (*) dest IN (13.108.0.0 13.111.255.255 OR 66.231.80.0 66.231.95.255) dest_port IN (*)
| fields app devicename src_zone dest_zone action src_ip dest dest_port transport rule
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

What are you stuck on?  What results are you getting and how do they not meet expectations?

BTW, the IN operator does not use 'OR'.  It just takes a comma- or space-separated list of values.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...