Solved: InfoSec App External IPs including 1918 Addresses

moogmusic · ‎08-07-2020

I've just been reviewing the Firewalls dashboard in the Continuous Monitoring section of the InfoSec app - the search that powers the External Source and Destination IP counts is this:

| tstats summariesonly=true allow_old_summaries=true dc(All_Traffic.src_ip) from datamodel=Network_Traffic where All_Traffic.src_ip!=10.0.0.0/8 All_Traffic.src_ip!=192.168.0.0/16 All_Traffic.src_ip!=172.16.0.0/12

If change dc(All_Traffic.src_ip) to values(All_Traffic.src_ip), the list of IPs generated includes all our 10.0.0.0/8 addresses - I've seen this problem with other tstats network searches I've tried to run and thought I wasn't formatting the search properly but there's clearly an issue with the All_Traffic.src_ip!=10.0.0.0/8 filter

Anyone else seen this/got a solution?

Thanks

moogmusic · ‎08-18-2020

Turns out this is not implemented until 7.3 and we're running 7.2.9.

View solution in original post

moogmusic · ‎08-18-2020

Turns out this is not implemented until 7.3 and we're running 7.2.9.

InfoSec App External IPs including 1918 Addresses

dashboard

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?