Splunk Enterprise Security
Highlighted

How to black list all the ports except the approved ports using interesting ports list in splunk enterprise security?

New Member

I would like to black list (get alert) for all the ports excepting the approved port list using interesting port list.

Please advise on the available options to achieve this.

0 Karma
Highlighted

Re: How to black list all the ports except the approved ports using interesting ports list in splunk enterprise security?

Builder

Since the interesting ports list in ES is stored in a lookup you can build a SPL query alert based on:

    |  inputlookup interesting_ports.csv

use the fields is_prohibited=true I guess.

alt text

0 Karma
Highlighted

Re: How to black list all the ports except the approved ports using interesting ports list in splunk enterprise security?

New Member

I think re articulating the question would help to get the nearest answer.. I want to mark every other port as prohibited except the approved ports in my environment.

0 Karma
Highlighted

Re: How to black list all the ports except the approved ports using interesting ports list in splunk enterprise security?

Builder

Same counts for that I guess. You can modify the interesting_ports.csv to match your needs.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.