Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

New Member

Splunk 6.5.1
Splunk Enterprise Security (ES) 4.2.0

I wrote the correlation search below (show sources that trigger more than 100 IPS alerts) which triggers nicely but I'm trying to add exclusions to get my desired results. I'm looking to get the output of IPS alerts that only match Severity=4. I'm also looking to exclude CIDR ranges from the output, ex 10.0.0.0/8. Any thoughts?

| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count" from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src"  | rename "IDS_Attacks.src" as "src" | where 'count'>100 | rename "tag" as "orig_tag"
0 Karma
Highlighted

Re: Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

Explorer

Hi bwoltz. See my suggestion below:

| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count"  from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src"  
| `drop_dm_object_name("IDS_Attacks")`
| where 'count'>100 AND  severity=4 AND NOT cidrmatch("10.0.0.0/8",src)
| rename "tag" as "orig_tag"

| drop_dm_object_name("IDS_Attacks") - is a macro that allows to drop the data model object name

Hope it works!

View solution in original post

0 Karma
Highlighted

Re: Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

New Member

larryjcp, if I remove the parenthesis to the left of count it works like a charm. Thanks!!!

0 Karma
Highlighted

Re: Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

Explorer

Right!... It's a good practice to balance those guys haha! Glad it worked! (I edited the answer)

0 Karma
Highlighted

Re: Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

Path Finder

Since 7.1.1, when a field is multivalue, after the rename (included in the dropdmobject_name macro) it's no longer a MV field.
Splunk changed something in the rename commande, and it has broken the multivalue capability.
Sad !

0 Karma