Splunk Enterprise Security

Omit IP addresses from SPL

tkbrown
Engager

What is the best way to omit internal IPs within this SPL? There are a lot of internal source IP hits that come up when running this SPL over the past 60 mins. This is a canned use case that comes with ES. 

ESCU - Protocols passing authentication in cleartext - Rule

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`

Thank you,

Tomas

Labels (1)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

@tkbrown  - If you can add a category against all these internal IPs which want to exclude in your assets/identities for ES, you can use the 'src_category' to exclude them in the above rule. Hope this helps.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...