Splunk Enterprise Security

Does someone have an example that shows how to ignore 2 or 3 domains for a Splunk Enterprise Security threat list?

silasbarnesva
Explorer

So the threat lists that come with Splunk Enterprise Security are great, but sometimes we need to ignore a single domain.

The Configure Block Lists (http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists
) section in the Splunk docs describe the Ignore Regular Expression line for each threat list, but I was hoping that someone could provide an example that shows how to ignore two or three different domains (.e.g. good_domain1.com and good_domain2.com should be ignored).

Thanks!

0 Karma
1 Solution

kchamplin_splun
Splunk Employee
Splunk Employee

There currently is not a whitelisting capability within ES, but it's something that we are looking into. Would it be possible to describe the way you would like to manage this behavior - specifically would something like a lookup table that you can add/remove things like domains, IPs, other intel artifacts work well for your case?

View solution in original post

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

There currently is not a whitelisting capability within ES, but it's something that we are looking into. Would it be possible to describe the way you would like to manage this behavior - specifically would something like a lookup table that you can add/remove things like domains, IPs, other intel artifacts work well for your case?

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

Awesome thanks for the feedback and extra detail. Generally speaking, what is the thinking of having the ignore rules stackable outside of the existing threat intel searches?

Also, I forgot to explain the "ignore" regular expression - these are mainly for ignoring specific lines in the threat intel list in the case of things like comments or other artifacts in the raw threat intel. For example take a look at the source data from the SANS list that ships with ES:
http://isc.sans.edu/block.txt
Its corresponding ignore regular expression is:
(^#|^\s*$|^Start)
Thats to take care of the comment lines (^#), the column heading line (^Start)and other items that don't represent the threat artifacts themselves. That said...I've not tried explicitly ignoring based on a capture group that actually calls out the string literal of the threat artifact. It might be something I can test out later next week, but if you're brave enough to try, share your results!

0 Karma

silasbarnesva
Explorer

Will do, thanks!

0 Karma

silasbarnesva
Explorer

That sounds good to me - ideally you'd be able to configure granular ignore rules (like IGNORE if src_client=192.168.1.2 AND dst_domain=www.notsobad.com AND protocol=80/443) to override threat list entries as specifically as possible to ensure you don't miss out on relevant threat intel hits.

Not saying that threat list info is often wrong, but there are situations where you'd like to not be alerted to a specific scenario, but similarly you don't want to simply just ignore a domain or source completely.

Thanks,

S

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...