topic Re: Whitelisting values for notable events in Splunk Enterprise Security

Whitelisting values for notable events

samhodgson — Fri, 03 Nov 2017 13:04:13 GMT

Hi All,

I've just got Enterprise Security configured and im now trying to reduce the amount of false alarms created. Im seeing a lot of low/medium urgency network notable events that I would class as normal expected network traffic. For example i've got hundreds of 'Abnormally High Number of HTTP GET Request Events' however a lot of them are for legitimate traffic.

Is possible to say do not create notable events for this event when destination = download.windowsupdate.com (or ideally a list of whitelisted URL's)?

Any help would be greatly appreciated!

Cheers

Sam

Re: Whitelisting values for notable events

smoir_splunk — Fri, 03 Nov 2017 16:34:38 GMT

I'm stealing this suggestion that @starcher made in the enterprise-security channel on Slack.

You can make a lookup with the URLs that you want to ignore from the search, then use that lookup to drop them from the correlation search. This requires modifying the correlation search (I'd recommend making a new one from scratch, and disable the default one)

So, for example, the destination field has the URLs you want dropped, leave the correlation search syntax as-is, then append the lookup at the end and dropping anything that doesn't match. Because it's a URL match, it might not be as fuzzy as you want it, but it's a start.

| lookup mywhitelist destination OUTPUTNEW destination AS isFound | where isnull(isFound)

Re: Whitelisting values for notable events

starcher — Fri, 03 Nov 2017 17:18:59 GMT

part of the benefit is that if the lookup is replicated to indexers it greatly helps performance.

Re: Whitelisting values for notable events

samhodgson — Tue, 07 Nov 2017 10:00:17 GMT

Thanks this helps a lot 🙂