All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Suspected Network Scanning - Fine tuning - exclude DNS and external IPs

rigmm
New Member
‎08-14-2020 09:50 AM

Trying to fine tune Suspected Network Scanning since we are getting lots of false positives for our AD server doing DNS lookups and endpoints going to external sites that use lots of Akamai related IPs.  We have the threshold set as 500 (see below) but wondering if we can make the scanning more fruitful by excluding our AD servers doing DNS lookups (port 53) and to exclude all external IPs in our search/query.   I'm assuming we want  Network Scanning to really only look at internal IPs (private ranges).  New to Splunk so please forgive my lack of knowledge.  Thanks!!

| tstats summariesonly=t allow_old_summaries=t dc(All_Traffic.dest_port) as num_dest_port dc(All_Traffic.dest_ip) as num_dest_ip from datamodel=Network_Traffic by All_Traffic.src_ip
| rename "All_Traffic.*" as "*"
| where num_dest_port > 500 OR num_dest_ip > 500
| sort - num_dest_ip
Labels (2)
Labels
0 Karma
Reply

BrendanCO
Path Finder
‎01-31-2023 08:24 AM

Nobody ever answered this, I see. Rats! I have the same question. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...