How to whitelist the list of hosts from all the alerts ?

New Member


Hello All !,

Kindly help me to find a solution for this.

I need to whitelist the list of hosts ( the host count is >1220 and may add further) from all alerts. 

Field name for host is varying as per correlation search. I have been trying the below options for somedays:

1. Upload the list as Lookup table and whitelist through lookup in all correlation rule (which will cause retroactive alerts)

2. Suppression Rule - Since the host field name is different for each rule, i need to write the suppression rule for each correlation rule.

3. Single Suppression rule - Am not clear how to get the values of hosts in all correlation searches and map into a single field, and then search the values.

Currently am trying to write a query to get the host values from `notable` and compare the values. 

`notable` | fillnull value=0 Hostname,dest_host,nt_host,Computer_Name | eval whitelist_host=if(Hostname!=NULL, Hostname, if(dest_host!=NULL, dest_host, if(nt_host!=NULL, nt_host,Computer_Name))) | table whitelist_host search_name Hostname dest_host nt_host Computer_Name | dedup whitelist_host

`notable` | eval gifted_host=coalesce(coalesce(Hostname,dest_host),nt_host) | table gifted_host | dedup gifted_host

Please let me know for any suggestions or if we have any other option.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...