https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-SA-NetworkProtection-Can-we-update-a/m-p/318851#M2930 <P>Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited. </P> <P>Current header for the csv file is: </P> <P>transport,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note</P> <P>Proposing: </P> <P>transport,src_ip,dest_ip,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note</P> <P>Setup the example: </P> <P>Let’s say we have two systems on our internal network, 172.1.1.15 (desktop) and 172.1.2.15(server). Bob, who uses the desktop 172.1.1.15 RDP’s to 172.1.2.15 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 172.1.1.0/24 or 172.1.1.*).</P> <P>Example of default prohibited port definition: </P> <P>tcp,unknown,*,,,3389,true,,deny_inbound_rdp_from_unknown</P> <P>Example of proposed: </P> <P>tcp,172.1.1.15,172.1.2.15,unknown,*,,,3389,false,,prohibit_inbound_rdp_from_unknown</P> <P>Please let me know if more information is needed or there is a better way to address this item. Thank you in advance for your time.</P> Tue, 29 Sep 2020 16:21:10 GMT donaldwayne1975 2020-09-29T16:21:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-SA-NetworkProtection-Can-we-update-a/m-p/318851#M2930 <P>Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited. </P> <P>Current header for the csv file is: </P> <P>transport,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note</P> <P>Proposing: </P> <P>transport,src_ip,dest_ip,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note</P> <P>Setup the example: </P> <P>Let’s say we have two systems on our internal network, 172.1.1.15 (desktop) and 172.1.2.15(server). Bob, who uses the desktop 172.1.1.15 RDP’s to 172.1.2.15 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 172.1.1.0/24 or 172.1.1.*).</P> <P>Example of default prohibited port definition: </P> <P>tcp,unknown,*,,,3389,true,,deny_inbound_rdp_from_unknown</P> <P>Example of proposed: </P> <P>tcp,172.1.1.15,172.1.2.15,unknown,*,,,3389,false,,prohibit_inbound_rdp_from_unknown</P> <P>Please let me know if more information is needed or there is a better way to address this item. Thank you in advance for your time.</P> Tue, 29 Sep 2020 16:21:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-SA-NetworkProtection-Can-we-update-a/m-p/318851#M2930 donaldwayne1975 2020-09-29T16:21:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-SA-NetworkProtection-Can-we-update-a/m-p/318852#M2931 <P>You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below: <BR /> 1. Configure additional Fields in lookups and schedule lookup creation - <A href="http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups">http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups</A> <BR /> 2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -<BR /> <A href="http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches">http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches</A></P> Sat, 21 Oct 2017 17:15:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-SA-NetworkProtection-Can-we-update-a/m-p/318852#M2931 nsmalley_splunk 2017-10-21T17:15:37Z