Hello wonderful people of the internet,
I'm still quite new when it comes to using splunk, so could use a bit of advice with this one. I have 2 CSV files, both containing a list of IP addresses. One of these is called IOC1.csv, and is a file of known malicious addresses.
The second CSV, called ignore.csv, contains all of the IP addresses I wish to exclude from the results (Basically, stuff we want to discount/tune out).
I'd like a search which could check all of the FW logs for any hits which have an IP from IOC1.csv located in there, but discount the event if an IP from ignore.csv is also present.
Could somebody advise on how this could be done?
Thank you all so much.
... View more