Splunk Enterprise Security

How to exclude CIDR range from Splunk Enterprise Security alert

saidshow
Explorer

We have a number of alerts in Splunk ES that are triggered by our external scanner. We want to be able to exclude our own external scanner from these alerts in Splunk ES. I have the CIDR range for our scanner however my training for Splunk ES is not until March. I would like to make a move on excluding the scanner from these alerts and looking at more meaningful alerts.

Thank you.

0 Karma
1 Solution

to4kawa
SplunkTrust
SplunkTrust
index=_internal
| search NOT 127.0.0.0/8

Hi, @saidshow
This query is the sample of exclude CIDR.

your_search
|search NOT your_ip_and_prefix

How about this?

View solution in original post

lkutch_splunk
Splunk Employee
Splunk Employee

Which version of ES? Maybe you could use MLTK. There's an example of filtering out the CIDR range of test servers by using .src!=10.11.36.0/24: https://docs.splunk.com/Documentation/ES/6.0.0/Admin/MLTKoverview#Finding_outliers_with_DensityFunct...

saidshow
Explorer

Mate, that is terrific. I will see if I can get this working on Monday. Thank you for taking the time to assist. It is appreciated.

0 Karma

to4kawa
SplunkTrust
SplunkTrust
index=_internal
| search NOT 127.0.0.0/8

Hi, @saidshow
This query is the sample of exclude CIDR.

your_search
|search NOT your_ip_and_prefix

How about this?

View solution in original post

saidshow
Explorer

I tried it and it worked just fine - it was actually so simple I overlooked it. This works both as:

my_search NOT field=value

and as

my_search
| search NOT field=value

I prefer the second as it is clearer in the search. Thank you again. Very simple.

0 Karma

to4kawa
SplunkTrust
SplunkTrust

The second is slower, so the first is fine. Happy splunking.

0 Karma

saidshow
Explorer

Thank you, this looks very simple. I will give this a try in a moment.

0 Karma