Splunk Enterprise Security

How to exclude CIDR range from Splunk Enterprise Security alert

Explorer

We have a number of alerts in Splunk ES that are triggered by our external scanner. We want to be able to exclude our own external scanner from these alerts in Splunk ES. I have the CIDR range for our scanner however my training for Splunk ES is not until March. I would like to make a move on excluding the scanner from these alerts and looking at more meaningful alerts.

Thank you.

0 Karma
1 Solution

SplunkTrust
SplunkTrust
index=_internal
| search NOT 127.0.0.0/8

Hi, @saidshow
This query is the sample of exclude CIDR.

your_search
|search NOT your_ip_and_prefix

How about this?

View solution in original post

Splunk Employee
Splunk Employee

Which version of ES? Maybe you could use MLTK. There's an example of filtering out the CIDR range of test servers by using .src!=10.11.36.0/24: https://docs.splunk.com/Documentation/ES/6.0.0/Admin/MLTKoverview#Finding_outliers_with_DensityFunct...

Explorer

Mate, that is terrific. I will see if I can get this working on Monday. Thank you for taking the time to assist. It is appreciated.

0 Karma

SplunkTrust
SplunkTrust
index=_internal
| search NOT 127.0.0.0/8

Hi, @saidshow
This query is the sample of exclude CIDR.

your_search
|search NOT your_ip_and_prefix

How about this?

View solution in original post

Explorer

I tried it and it worked just fine - it was actually so simple I overlooked it. This works both as:

my_search NOT field=value

and as

my_search
| search NOT field=value

I prefer the second as it is clearer in the search. Thank you again. Very simple.

0 Karma

SplunkTrust
SplunkTrust

The second is slower, so the first is fine. Happy splunking.

0 Karma

Explorer

Thank you, this looks very simple. I will give this a try in a moment.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!