So the threat lists that come with Splunk Enterprise Security are great, but sometimes we need to ignore a single domain.
The Configure Block Lists (http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists
) section in the Splunk docs describe the Ignore Regular Expression line for each threat list, but I was hoping that someone could provide an example that shows how to ignore two or three different domains (.e.g. gooddomain1.com and gooddomain2.com should be ignored).
There currently is not a whitelisting capability within ES, but it's something that we are looking into. Would it be possible to describe the way you would like to manage this behavior - specifically would something like a lookup table that you can add/remove things like domains, IPs, other intel artifacts work well for your case?
That sounds good to me - ideally you'd be able to configure granular ignore rules (like IGNORE if srcclient=192.168.1.2 AND dstdomain=www.notsobad.com AND protocol=80/443) to override threat list entries as specifically as possible to ensure you don't miss out on relevant threat intel hits.
Not saying that threat list info is often wrong, but there are situations where you'd like to not be alerted to a specific scenario, but similarly you don't want to simply just ignore a domain or source completely.
Awesome thanks for the feedback and extra detail. Generally speaking, what is the thinking of having the ignore rules stackable outside of the existing threat intel searches?
Also, I forgot to explain the "ignore" regular expression - these are mainly for ignoring specific lines in the threat intel list in the case of things like comments or other artifacts in the raw threat intel. For example take a look at the source data from the SANS list that ships with ES:
Its corresponding ignore regular expression is:
Thats to take care of the comment lines (^#), the column heading line (^Start)and other items that don't represent the threat artifacts themselves. That said...I've not tried explicitly ignoring based on a capture group that actually calls out the string literal of the threat artifact. It might be something I can test out later next week, but if you're brave enough to try, share your results!