Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to whitelist events using inputlookup?

wendtb
Path Finder
‎02-22-2019 09:05 AM

I am trying to whitelist events from a specific server using IP and hostname. I am running into 2 issues.

  1. I have different field values come up for the same host. (Ex: server1 and 10.2.3.4) I can use inputlookup to remove ip, however I can't figure out how to remove multiple values in the most efficient way.

  2. On another search, I am also whitelisting, but in this case I need to add a whitelist of one server using IP, but for 2 different field values. For context, these are linux auth logs and WinEvent:Security logs.

Base part of search that I'm using for both:

NOT [ | inputlookup ess_whitelist_security.csv | where match(alert_name, "Access - Default Account In Use") | rename src AS rhost | fields rhost ]
0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-22-2019 09:32 AM

I am not sure if your are referring to tagging/rename/alias instead of white list? (terminology issue)

If you have events coming from a same host with both - hostname and IP address, you can use tags to have a common name for both events - eg. myapphost1

your second scenario looks like you want to 'alias' a field.

0 Karma
Reply

wendtb
Path Finder
‎02-22-2019 12:25 PM

Even after doing the Field Alias for scenario 2, I am still receiving those events. Seems more to do with my inputlookup language.

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-23-2019 02:43 PM

Can you give examples and/or explain a bit more of your requirement 2?

0 Karma
Reply

wendtb
Path Finder
‎02-26-2019 06:32 AM

I have resolved my issue 2 by using a Field Alias to recognize the field: Source_Network_Address (from WinEventLogs:Security sourcetype) as rhost (Linux sourcetype).

For issue 1, I have attempted the tagging that you suggested and this did not work.

Example of issue one: FieldName: src. Getting field name src=10.X.X.X and src=SERVER1.

SERVER1 is the server with IP 10.X.X.X.

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎02-26-2019 06:52 AM

So, for scenario 1 - you have events which have the field 'src' - populated with IP address and some with 'hostnames'. Both are actually from the same server. So, if you do a search like index=yourindex host=* , you should see IP and hostname values for 'host'. So, if you tag events from host=10.X.X.X to MYSERVER1 and similarly tag events with host=SERVER1 to MYSERVER1, you can achieve the same.

what error/issue did you face?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...