Hello Splunkers,
I just wanted to have someone give me best practice input.
My scenario is that I have threat intelligence coming in from Threatconnect. The index is "threatconnect". Threatconnect is auto-tagging any IOCs related to the solarwinds breach as "solarwinds breach" and I've seen other tags come in with the word "solarwinds" so I will wildcard it. The event which this comes in under is in field "event.ts_detail".
I run this search and I see activity:
index=threatconnect event.ts_detail=*solarwinds*
However, all the activity I am seeing is an IP brute forcing us constantly. It comes in as this field event.src=45.129.33.129
Therefore, I created an alert with this search which runs every hour:
index=threatconnect event.ts_detail=*solarwinds* event.src!=45.129.33.129
My question to you:
Is this best practice to set the alert and ignore something that I don't care about (IP 45.129.33.129 since it's only probing).
Would you do it differently?
I believe I'm better off with putting the exclusions from an input table so that it will be easier for me to exclude additional IPs.
Suppose I make the exclusion as a lookup file called: Solarwinds_whitelist_IOC.csv
What would the syntax be for me to call on this input table to NOT include?