Splunk Search

InfoSec - Continuous Monitoring - Intrusion Detection Dashboard

Loves-to-Learn Lots

Would someone be able to help me understand how do to this?  I would like to modify the built in dashboard in the InfoSec APP to exclude a specific source IP address.  The default search the dashboard uses is below.


| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks where * IDS_Attacks.severity="*" by IDS_Attacks.signature, IDS_Attacks.severity | rename "IDS_Attacks.*" as "*" | sort severity


Currently, that dashboard visual is full of events from my vulnerability scanner running scans. 

Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.