Exclude internal ip's

Bradly · February 17, 2016, 7:43pm

I am still new and working to figure out how to use elasticsearch correctly to do what I want. I have been able to write some query's to get some information about all of the traffic on our network but now I would like to filter out anything that is internal and only show internet traffic.

Currently I am setup as follows
ASA firewall -> ELK (via Netflow)

What is the proper way to exclude 10.0.0.0/4, 172.16.0.0/12 and 192.168.0.0/16 from the rest of the traffic. Im sure its simple and I am just going about it all wrong.

Brad

stormpython · February 17, 2016, 8:15pm

Hi Brad,

You can exclude those patterns from your query using the searchbox and lucene query syntax. Here is a nice tutorial site for learning the lucene query syntax.

-ip: "10.0.0.0/4" AND -ip: "172.16.0.0/12" AND -ip: "192.168.0.0/16"

where ip is the field name.

Topic		Replies	Views
Kibana Visualization Regex Exclusion issue Kibana lens	5	466	August 16, 2023
Kibana search query to remove ip range Kibana	3	23834	July 6, 2017
Detecting inital of breach SIEM	2	140	July 9, 2024
Query field for set of values or not in set of values Kibana	3	344	May 18, 2019
Kibana filter ip address or network Kibana	2	12112	May 10, 2019

Exclude internal ip's

Related Topics