https://community.splunk.com/t5/Splunk-Cloud-Platform/Splunk-Alert-best-practice-input/m-p/533700#M389 <P>Hello Splunkers,</P><P>I just wanted to have someone give me best practice input.</P><P>My scenario is that I have threat intelligence coming in from Threatconnect. The index is "threatconnect".&nbsp; Threatconnect is auto-tagging any IOCs related to the solarwinds breach as "solarwinds breach" and I've seen other tags come in with the word "solarwinds"&nbsp; so I will wildcard it.&nbsp; The event which this comes in under is in&nbsp; field "event.ts_detail".&nbsp;&nbsp;</P><P>I run this search and I see activity:</P><P>index=threatconnect event.ts_detail=*solarwinds*</P><P>However, all the activity I am seeing is an IP brute forcing us constantly. It comes in as this field event.src=45.129.33.129</P><P>Therefore, I created an alert with this search which runs every hour:</P><P>index=threatconnect event.ts_detail=*solarwinds* event.src!=45.129.33.129</P><P>My question to you:</P><P>Is this best practice to set the alert and ignore something that I don't care about (IP 45.129.33.129 since it's only probing).&nbsp;&nbsp;</P><P>Would you do it differently?</P><P>&nbsp;</P> Mon, 21 Dec 2020 06:38:29 GMT iherb_0718 2020-12-21T06:38:29Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Splunk-Alert-best-practice-input/m-p/533700#M389 <P>Hello Splunkers,</P><P>I just wanted to have someone give me best practice input.</P><P>My scenario is that I have threat intelligence coming in from Threatconnect. The index is "threatconnect".&nbsp; Threatconnect is auto-tagging any IOCs related to the solarwinds breach as "solarwinds breach" and I've seen other tags come in with the word "solarwinds"&nbsp; so I will wildcard it.&nbsp; The event which this comes in under is in&nbsp; field "event.ts_detail".&nbsp;&nbsp;</P><P>I run this search and I see activity:</P><P>index=threatconnect event.ts_detail=*solarwinds*</P><P>However, all the activity I am seeing is an IP brute forcing us constantly. It comes in as this field event.src=45.129.33.129</P><P>Therefore, I created an alert with this search which runs every hour:</P><P>index=threatconnect event.ts_detail=*solarwinds* event.src!=45.129.33.129</P><P>My question to you:</P><P>Is this best practice to set the alert and ignore something that I don't care about (IP 45.129.33.129 since it's only probing).&nbsp;&nbsp;</P><P>Would you do it differently?</P><P>&nbsp;</P> Mon, 21 Dec 2020 06:38:29 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Splunk-Alert-best-practice-input/m-p/533700#M389 iherb_0718 2020-12-21T06:38:29Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Splunk-Alert-best-practice-input/m-p/533705#M390 <P>I believe I'm better off with putting the exclusions from an input table so that it will be easier for me to exclude additional IPs.&nbsp;</P><P>Suppose I make the exclusion as a lookup file called: Solarwinds_whitelist_IOC.csv</P><P>What would the syntax be for me to call on this input table to NOT include?</P> Mon, 21 Dec 2020 07:55:46 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Splunk-Alert-best-practice-input/m-p/533705#M390 iherb_0718 2020-12-21T07:55:46Z