Splunk Enterprise Security

Exclude results from tstats

mtaylor10
Engager

I have a correlation search created.  However, I want to exclude files from being alerted upon.  I have an lookup file created that has a list of files to be excluded, however when I call that lookup file to exclude the files, the search results will exclude the whole host and affected files, not just the singular file I want excluded. 

My tstats search:

| tstats values(Symantec_ICDX.device_public_ip) values(Symantec_ICDX.user_name) values(Symantec_ICDX.file.name) values(Symantec_ICDX.threat.name) values(Symantec_ICDX.type) values(Symantec_ICDX.file.sha2) as Symantec_ICDX.file.sha2 values(Symantec_ICDX.file.path) from datamodel=Symantec_ICDX by Symantec_ICDX.device_name
| rename Symantec_ICDX.device_name as dest, values(Symantec_ICDX.device_public_ip) as dest_ip, values(Symantec_ICDX.user_name) as user, values(Symantec_ICDX.file.name) as file_name, values(Symantec_ICDX.threat.name) as threat_name, values(Symantec_ICDX.type) as type, Symantec_ICDX.file.sha2 as file_hash, values(Symantec_ICDX.file.path) as file_path

Results of tstat search:

mtaylor10_0-1640788971521.png

 

New tstats search with putting in ruby.exe into the lookup file.

| tstats values(Symantec_ICDX.device_public_ip) values(Symantec_ICDX.user_name) values(Symantec_ICDX.file.name) values(Symantec_ICDX.threat.name) values(Symantec_ICDX.type) values(Symantec_ICDX.file.sha2) as Symantec_ICDX.file.sha2 values(Symantec_ICDX.file.path) from datamodel=Symantec_ICDX by Symantec_ICDX.device_name
| rename Symantec_ICDX.device_name as dest, values(Symantec_ICDX.device_public_ip) as dest_ip, values(Symantec_ICDX.user_name) as user, values(Symantec_ICDX.file.name) as file_name, values(Symantec_ICDX.threat.name) as threat_name, values(Symantec_ICDX.type) as type, Symantec_ICDX.file.sha2 as file_hash, values(Symantec_ICDX.file.path) as file_path
| search NOT [| inputlookup exclusions.csv | fields file_name]
| search dest=COFGOOPAL2572TW

 

Results:

mtaylor10_1-1640789308568.png

 

Lookup file:

mtaylor10_2-1640789467697.png

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I'd try making exclusions part of tstats.

| tstats values(Symantec_ICDX.device_public_ip) values(Symantec_ICDX.user_name) values(Symantec_ICDX.file.name) values(Symantec_ICDX.threat.name) values(Symantec_ICDX.type) values(Symantec_ICDX.file.sha2) as Symantec_ICDX.file.sha2 values(Symantec_ICDX.file.path) from datamodel=Symantec_ICDX 
where NOT [| inputlookup exclusions.csv | fields file_name | rename file_name as "Symantec_ICDX.file.name" | format] 
by Symantec_ICDX.device_name
| rename Symantec_ICDX.device_name as dest, values(Symantec_ICDX.device_public_ip) as dest_ip, values(Symantec_ICDX.user_name) as user, values(Symantec_ICDX.file.name) as file_name, values(Symantec_ICDX.threat.name) as threat_name, values(Symantec_ICDX.type) as type, Symantec_ICDX.file.sha2 as file_hash, values(Symantec_ICDX.file.path) as file_path

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mtaylor10
Engager

That worked perfectly, thank you. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'd try making exclusions part of tstats.

| tstats values(Symantec_ICDX.device_public_ip) values(Symantec_ICDX.user_name) values(Symantec_ICDX.file.name) values(Symantec_ICDX.threat.name) values(Symantec_ICDX.type) values(Symantec_ICDX.file.sha2) as Symantec_ICDX.file.sha2 values(Symantec_ICDX.file.path) from datamodel=Symantec_ICDX 
where NOT [| inputlookup exclusions.csv | fields file_name | rename file_name as "Symantec_ICDX.file.name" | format] 
by Symantec_ICDX.device_name
| rename Symantec_ICDX.device_name as dest, values(Symantec_ICDX.device_public_ip) as dest_ip, values(Symantec_ICDX.user_name) as user, values(Symantec_ICDX.file.name) as file_name, values(Symantec_ICDX.threat.name) as threat_name, values(Symantec_ICDX.type) as type, Symantec_ICDX.file.sha2 as file_hash, values(Symantec_ICDX.file.path) as file_path

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...