Solved: In Splunk Enterprise Security, can you help me fix...

jvanbibber · ‎03-06-2019

I'm trying to use the NOT operator in a search to exclude internal destination traffic. Any help would be great!

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | sort - count

pkeenan87 · ‎03-06-2019

You could try and exclude RFC 1918 ranges from the dest field

| tstats summariesonly=t count from datamodel=Network_Traffic where All_Traffic.dest!=10.0.0.0/8 AND All_Traffic.dest!=172.16.0.0/12 AND All_Traffic.dest!=192.168.0.0/16 by All_Traffic.dest All_Traffic.src | sort - count

View solution in original post

pkeenan87 · ‎03-06-2019

You could try and exclude RFC 1918 ranges from the dest field

| tstats summariesonly=t count from datamodel=Network_Traffic where All_Traffic.dest!=10.0.0.0/8 AND All_Traffic.dest!=172.16.0.0/12 AND All_Traffic.dest!=192.168.0.0/16 by All_Traffic.dest All_Traffic.src | sort - count

jvanbibber · ‎03-06-2019

Will give it a try, thank you!

FrankVl · ‎03-06-2019

And how would you recognize internal destination traffic in your case? Do you have asset enrichments in place, so you can do All_Traffic.dest_category!=internal or so?

Hard to help with this little information. We'll need better info on what your data looks like, how you think you want to recognize internal destinations and what you have tried so far.

jvanbibber · ‎03-06-2019

Well, based on IP private IP ranges is a good place to start, don't you think? 10.0.0.0/8
I don't know how I would incorporate that into the search string

In Splunk Enterprise Security, can you help me fix my search that uses the tstats command with a NOT operator?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application