Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ES Tuning Question

edwardrose
Contributor
‎11-20-2019 09:50 AM

Hello All,

I am working on tuning the Network-Unroutable Host Activity -Rule search and we are trying to exclude our VPN networks and DNS hosts that are sending data to 192.0.0.0 from the search. I thought I could run a loop for every IP address of our dns servers. Here is what I added to the fully blown out search but it does not seem to be working like I thought it would.

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count,values(sourcetype) from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src,All_Traffic.dest 
| rename "All_Traffic.*" as "*" 
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true append=true count,values(sourcetype) from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.src,IDS_Attacks.dest 
| rename "IDS_Attacks.*" as "*" 
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true append=true count,values(sourcetype) from datamodel=Web.Web by Web.src,Web.dest 
| rename "Web.*" as "*" 
| stats count,values(sourcetype) as sourcetype by src,dest 
| lookup local=true bogonlist_lookup_by_cidr ip AS "src" OUTPUTNEW is_bogon AS "src_is_bogon",is_internal AS "src_is_internal" 
| lookup local=true bogonlist_lookup_by_cidr ip AS "dest" OUTPUTNEW is_bogon AS "dest_is_bogon",is_internal AS "dest_is_internal" 
| search (NOT dest=169.254.* NOT src=169.254.* ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true))) 
| search (NOT dest=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] NOT src=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip]  ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))
| eval bogon_ip=if(((dest_is_bogon == "true") AND (dest_is_internal != "true")),dest,bogon_ip), bogon_ip=if(((src_is_bogon == "true") AND (src_is_internal != "true")),src,bogon_ip) 
| fields + sourcetype, src, dest, bogon_ip

I added the following line:

| search (NOT dest=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip] NOT src=[| inputlookup mentor_assets.csv | search nt_host="*-ddi-*" | table ip]  ((dest_is_internal!=true dest_is_bogon=true) OR (src_is_internal!=true src_is_bogon=true)))

But like I stated it does not seem to be working like I thought it should. Any help would be appreciated.

Thanks
ed

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...