Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

ES Tuning Question

edwardrose
Contributor
‎11-20-2019 09:50 AM

Hello All,

I am working on tuning the Network-Unroutable Host Activity -Rule search and we are trying to exclude our VPN networks and DNS hosts that are sending data to 192.0.0.0 from the search. I thought I could run a loop for every IP address of our dns servers. Here is what I added to the fully blown out search but it does not seem to be working like I thought it would.

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count,values(sourcetype) from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src,All_Traffic.dest 
| rename "All_Traffic.*" as "*" 
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true append=true count,values(sourcetype) from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.src,IDS_Attacks.dest 
| rename "IDS_Attacks.*" as "*" 
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true append=true count,values(sourcetype) from datamodel=Web.Web by Web.src,Web.dest 
| rename "Web.*" as "*" 
| stats count,values(sourcetype) as sourcetype by src,dest 
| lookup local=true bogonlist_lookup_by_cidr ip AS "src" OUTPUTNEW is_bogon AS "src_is_bogon",is_internal AS "src_is_internal" 
| lookup local=true bogonlist_lookup_by_cidr ip AS "dest" OUTPUTNEW is_bogon AS "dest_is_bogon",is_internal AS "dest_is_internal" 
| search (NOT dest=169.254.* NOT src=169.254.* ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true))) 
| search (NOT dest=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] NOT src=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip]  ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))
| eval bogon_ip=if(((dest_is_bogon == "true") AND (dest_is_internal != "true")),dest,bogon_ip), bogon_ip=if(((src_is_bogon == "true") AND (src_is_internal != "true")),src,bogon_ip) 
| fields + sourcetype, src, dest, bogon_ip

I added the following line:

| search (NOT dest=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] NOT src=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip]  ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))

But like I stated it does not seem to be working like I thought it should. Any help would be appreciated.

Thanks
ed

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...