Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

bwoltz
New Member
‎04-28-2017 01:31 PM

Splunk 6.5.1
Splunk Enterprise Security (ES) 4.2.0

I wrote the correlation search below (show sources that trigger more than 100 IPS alerts) which triggers nicely but I'm trying to add exclusions to get my desired results. I'm looking to get the output of IPS alerts that only match Severity=4. I'm also looking to exclude CIDR ranges from the output, ex 10.0.0.0/8. Any thoughts? 

| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count" from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src"  | rename "IDS_Attacks.src" as "src" | where 'count'>100 | rename "tag" as "orig_tag"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

larryjcp
Explorer
‎05-30-2017 10:48 PM

Hi bwoltz. See my suggestion below:

| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count"  from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src"  
| `drop_dm_object_name("IDS_Attacks")`
| where 'count'>100 AND  severity=4 AND NOT cidrmatch("10.0.0.0/8",src)
| rename "tag" as "orig_tag"

| drop_dm_object_name("IDS_Attacks") - is a macro that allows to drop the data model object name

Hope it works!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Azerty728
Path Finder
‎07-10-2018 07:42 AM

Since 7.1.1, when a field is multivalue, after the rename (included in the drop_dm_object_name macro) it's no longer a MV field.
Splunk changed something in the rename commande, and it has broken the multivalue capability.
Sad !

0 Karma
Reply
Solved! Jump to solution
Solution

larryjcp
Explorer
‎05-30-2017 10:48 PM

Hi bwoltz. See my suggestion below:

| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count"  from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src"  
| `drop_dm_object_name("IDS_Attacks")`
| where 'count'>100 AND  severity=4 AND NOT cidrmatch("10.0.0.0/8",src)
| rename "tag" as "orig_tag"

| drop_dm_object_name("IDS_Attacks") - is a macro that allows to drop the data model object name

Hope it works!

0 Karma
Reply
Solved! Jump to solution

bwoltz
New Member
‎05-31-2017 02:08 PM

larryjcp, if I remove the parenthesis to the left of count it works like a charm. Thanks!!!

0 Karma
Reply
Solved! Jump to solution

larryjcp
Explorer
‎05-31-2017 04:07 PM

Right!... It's a good practice to balance those guys haha! Glad it worked! (I edited the answer)

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...