• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Device IP Exclusion Filtering?

PrycePryce

New Life Form
Is there a way to run a report / SIEM query / Raw log query which specifies several device IPs (IP of device that sent the log) to be excluded?  

I recently took over my company's AV deployment and I'm trying to determine all of the devices that are currently sending logs to the server so that we can determine what ISN'T sending logs.

Instead of combing through millions of events, I'd like a way to run a query / report that excludes a specific device IP.  That way I could say "Ok, I see events coming from 1.1.1.1, so this next query will not include 1.1.1.1 and we'll see what is still there".  Then I could keep doing that until there's nothing left.  

I see plenty of ways to exclude src/dst IPs for events but no way to exclude device IPs which seems to be associated with the device that sent the original event.  

Any ideas? 

Share post:

Comments

  • Typically you would put an exclamation point before the IP in the query to filter it out.  Of course i just tried this and it did not work.

    If you get an answer please update this threat because this would be great information to have.
Sign In or Register to comment.