I am looking to to create dashboards that show our outgoing/incoming network connections. What is the best way to filter out large cidr blocks? Is it better to create an app rule to have it run during collection? Currently I am trying out doing a ip.dst != '10.0.0.0/8'
Do you already have your internal ranges mapped out? As analyst best practice I typically using a feed to map out IP ranges in a CSV, to provide some additional context (unless you have the Archer integration already doing this).
10.1.0.0/16 = site1
10.1.1.1 = to_proxy (site 1)
x.x.x.x = from proxy (site 1)
10.2.0.0/16 = site2
10.2.1.1 = to_proxy (site 2)
x.x.x.x = from proxy (site 2)
10.3.0.0/16 = VPN range
10.4.0.0/16 = Guest wireless
You could use a application rule to create custom meta although a feed is much more efficient. Once you have this additonal meta you can easily build rules around the new meta.
Craig