Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use case Creation

Abhirup_10
New Member
‎01-23-2024 09:00 AM

Hi Everyone,

I want to create a new Use case to detect Suspicious activity on insecure ports from remote to local and local to remote. I didn't understand how do I write the query as source IP/Destination IP as remote. Is there any way to define the "Context" like Remote and Local? 

I want to define for L2R rule destination IP should be remote and for R2L Source IP should be Remote. I have tried with the reverse condition but it didn't worked properly. 


Example: For L2R I have mentioned all the Local IP network segment as not category (Source IP!= 10.0.0.0/8) and for R2L vice versa (Destination IP!=10.0.0.0/8).   

Can anyone help me with this please? 

Labels (2)
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-25-2024 08:45 AM

This would heavily depend on what your events look like as you would simply extract fields that represent "remote" and "local" fields. 

Got an example event?

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...