Splunk Enterprise Security

Omit IP addresses from SPL


What is the best way to omit internal IPs within this SPL? There are a lot of internal source IP hits that come up when running this SPL over the past 60 mins. This is a canned use case that comes with ES. 

ESCU - Protocols passing authentication in cleartext - Rule

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.transport="tcp" AND (All_Traffic.dest_port="23" OR All_Traffic.dest_port="143" OR All_Traffic.dest_port="110" OR (All_Traffic.dest_port="21" AND All_Traffic.user != "anonymous")) by All_Traffic.user All_Traffic.src All_Traffic.dest All_Traffic.dest_port
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`

Thank you,


Labels (1)
0 Karma


@tkbrown  - If you can add a category against all these internal IPs which want to exclude in your assets/identities for ES, you can use the 'src_category' to exclude them in the above rule. Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...