The CSV defines two columns:
alert_name
: The Splunk alert on which the whitelisted IP (next column) is applied- The second column name must match with the alert field to whitelist
alert_name, src_ip
my_splunk_alert, 192.168.1.42
my_splunk_alert, 10.0.0.0/16
other_alert, 172.16.10.11
Collect events tagged as Intrusion Detection and format the results. Notice the fields src_ip and dest_ip on which we'll apply the whitelist later.
| datamodel Intrusion_Detection IDS_Attacks search
| `drop_dm_object_name(IDS_Attacks)`
| table detection_time src_ip dest_ip asset description
Perform a negative subsearch on the whitelist(s).
| search NOT [inputlookup src_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields src_ip]
| search NOT [inputlookup dest_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields dest_ip]
| datamodel Intrusion_Detection IDS_Attacks search
| `drop_dm_object_name(IDS_Attacks)`
| table detection_time src_ip dest_ip asset description
| search NOT [inputlookup src_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields src_ip]
| search NOT [inputlookup dest_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields dest_ip]
Moved text to Markdown with code blocks.
Added description.