Splunk Enterprise Security

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

waynemurraysgs
Engager

We have several devices that perform endpoint and network device scanning.  As intended, they are scanning prohibited ports to verify they are not open, however the ESCU correlation searches , specifically the "Prohibited network Traffic Allowed" rule, is detecting thousands of these events each day.

How can I prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

Thank you.

Tags (1)
0 Karma
1 Solution

Azeemering
Builder

Modify the correlation search to exclude the legitimate devices.

View solution in original post

starcher
SplunkTrust
SplunkTrust

This is why you should put devices into the Assets framework and label their category "known_scanner" then you can do like NOT src_category="known_scanner" into your search. So as you update assets new scanners don't trigger correlation searches.

0 Karma

Azeemering
Builder

Modify the correlation search to exclude the legitimate devices.

dokaas_2
Path Finder

Correlation rules from sources such as ESCU will have a filter macro.  For example, the rule "ESCU - Access LSASS Memory for Dump Creation - Rule" has a macro named "access_lsass_memory_for_dump_creation_filter".  You should modify the macro rather than the rule itself. 

Sometimes rules are updated in the ESCU.  If one modifies the rule directly, the search will be saved in the 'local' folder and have precedence over an updated rule in the default folder.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...