topic Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes? in Splunk Enterprise

How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

MdSantana — Fri, 10 Feb 2023 01:58:46 GMT

Hello,

How do I effectively whitelist events like excessive failed logins, and abnormal new processes? These are known, non malicious issues in our network that generate a lot of hits that do not amount to anything upon extensive investigation.

Thanks in advance.

Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

2MuchC0ff33 — Fri, 10 Feb 2023 07:17:45 GMT

Great question @MdSantana

You can effectively whitelist events in Splunk, such as excessive failed logins and unusual new processes, by using the following methods:

Suppression rules: To suppress these events, create a suppression rule in Splunk.
Whitelist of source IP addresses: For these events, you can create a whitelist of source IP addresses.
Use of "ignore" or "exclusion" lists: For these events, you can create an ignore or exclusion list.
Use of event types: These events can be assigned specific event types.

It should be noted that these methods should be used with caution, as they can also conceal legitimate security events. I recommend reading the Splunk documentation for more information on suppression rules, whitelist, ignore or exclusion lists, and event types:

Suppression Rules: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Suppressionrules
Whitelist: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Whitelist
Ignore or Exclusion Lists: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Ignorelist
Event Types: https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Abouteventtypes

Let me know if you need help developing commands.

Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

MdSantana — Fri, 10 Feb 2023 21:25:34 GMT

Thank you 2MuchC0ff33.

I did a lot of searching to try and make sure I would only be whitelisting confirmed non malicious stuff while still allowing Splunk to do its job.

However, I have run into an issue while suppressing. Apparently my search cannot be parsed correctly. Here it is;

| from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="!exec: enable"

Not sure what the issue is, but any help is appreciated.

Thank you again!

Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

2MuchC0ff33 — Mon, 13 Feb 2023 03:16:40 GMT

Hi @MdSantana

Using the "!" character in the search expression could be the source of the problem with the search query. In Splunk, the "!" character is used to negate a search term, so "!exec: enable" would match events where the value of the "command" field does not contain the string "exec: enable".

You could try escaping the "!" character by adding a backslash in front of it, as shown below:

| from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="\!exec: enable"

If this does not solve the problem, try replacing the "!" character with the "!" sequence, as shown below:

| from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="\\!exec: enable"

Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

MdSantana — Mon, 13 Feb 2023 17:42:05 GMT

Hi @2MuchC0ff33 ,

Its strange because when I run a normal search string outside of the New Suppression setup wizard/box I get no errors.

But when I input the same thing into the box and attempt to save, I get the error.

Nonetheless, unfortunately neither one worked and I still can't figure out why it won't accept the string.

Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

2MuchC0ff33 — Thu, 16 Feb 2023 01:53:24 GMT

@MdSantana, Could you try manually creating the suppression rule by adding it to your Splunk configuration's transforms.conf file?

Re: How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

MdSantana — Thu, 16 Feb 2023 15:52:37 GMT

Still doesn't work.

I really don't understand what the problem is with my search when it parses correctly in the search app, but fails in the new suppression wizard.