InfoSec - Continuous Monitoring - Intrusion Detect...

AJSCSA · ‎07-28-2021

Would someone be able to help me understand how do to this? I would like to modify the built in dashboard in the InfoSec APP to exclude a specific source IP address. The default search the dashboard uses is below.

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks where * IDS_Attacks.severity="*" by IDS_Attacks.signature, IDS_Attacks.severity | rename "IDS_Attacks.*" as "*" | sort severity

Currently, that dashboard visual is full of events from my vulnerability scanner running scans.

rcruz · ‎07-20-2023

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks where * IDS_Attacks.severity="*" IDS_Attacks.severity="IP TO BE EXCLUDED" by IDS_Attacks.signature, IDS_Attacks.severity | rename "IDS_Attacks.*" as "*" | sort severity

Replace the IP TO BE EXCLUDED with the actual IP.

InfoSec - Continuous Monitoring - Intrusion Detection Dashboard

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation