Hi Guys,
Can you please tell me how to exclude/whitelist multiple ip adresses from the datamodel search
here is the example:
All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.13
I would like to have it more clear like: All_Traffic.dest_ip!=10.10.10.10, 10.10.10.10, 10.10.10.13
Unfortunately it doesn't work. Which parameter needs to be used ??
Thanks!
You could use the IN operator
... Where NOT All_Traffic.dest_ip IN (10.10.10.10, 10.10.10.10, 10.10.10.13)
And later on if I would like to add All_Traffic.dest_port and All_Traffic.transport!
Which parameter I should use ?
I tried:
WHERE NOT (All_Traffic.src_port IN (80, 443) OR NOT All_Traffic.dest_port IN (80, 443, 22, 5060)
but it does not work.
I don't know how the NOT outside the parens impacts the NOT inside, also not sure what Logic you are trying to implement.
This will find any events that don't have a src port of 80 or 443 or a dest of 80 443 22 5060.
WHERE ( NOT All_Traffic.src_port IN (80, 443) AND NOT All_Traffic.dest_port IN (80, 443, 22, 5060) )
OR
WHERE NOT ( All_Traffic.src_port IN (80, 443) OR All_Traffic.dest_port IN (80, 443, 22, 5060) )
and how about IP ranges, for example:
All_Traffic.src_ip IN (10.16.72.20, 10.128.124.0/22)
??
As far as I can tell, when using IN the CIDR address is seen as a single value and not as a CIDR value to expand.
You would need to do it the old fashioned way:
All_Traffic.src_ip=10.16.72.20 OR All_Traffic.src_ip=10.128.124.0/22
If you have several individual IPs, you could do those via IN:
WHERE All_Traffic.src_ip IN (10.16.72.20, 10.16.73.20 ) OR All_Traffic.src_ip=10.128.124.0/22 OR All_Traffic.src_ip=10.34.124.0/22
You could use the IN operator
... Where NOT All_Traffic.dest_ip IN (10.10.10.10, 10.10.10.10, 10.10.10.13)
Thank you !!!