Splunk Enterprise Security

How to whitelist events using inputlookup?

Path Finder

I am trying to whitelist events from a specific server using IP and hostname. I am running into 2 issues.

  1. I have different field values come up for the same host. (Ex: server1 and 10.2.3.4) I can use inputlookup to remove ip, however I can't figure out how to remove multiple values in the most efficient way.

  2. On another search, I am also whitelisting, but in this case I need to add a whitelist of one server using IP, but for 2 different field values. For context, these are linux auth logs and WinEvent:Security logs.

Base part of search that I'm using for both:

NOT [ | inputlookup ess_whitelist_security.csv | where match(alert_name, "Access - Default Account In Use") | rename src AS rhost | fields rhost ]
0 Karma

SplunkTrust
SplunkTrust

I am not sure if your are referring to tagging/rename/alias instead of white list? (terminology issue)

If you have events coming from a same host with both - hostname and IP address, you can use tags to have a common name for both events - eg. myapphost1

your second scenario looks like you want to 'alias' a field.

0 Karma

Path Finder

Even after doing the Field Alias for scenario 2, I am still receiving those events. Seems more to do with my inputlookup language.

0 Karma

SplunkTrust
SplunkTrust

Can you give examples and/or explain a bit more of your requirement 2?

0 Karma

Path Finder

I have resolved my issue 2 by using a Field Alias to recognize the field: Source_Network_Address (from WinEventLogs:Security sourcetype) as rhost (Linux sourcetype).

For issue 1, I have attempted the tagging that you suggested and this did not work.

Example of issue one: FieldName: src. Getting field name src=10.X.X.X and src=SERVER1.

SERVER1 is the server with IP 10.X.X.X.

0 Karma

SplunkTrust
SplunkTrust

So, for scenario 1 - you have events which have the field 'src' - populated with IP address and some with 'hostnames'. Both are actually from the same server. So, if you do a search like index=yourindex host=* , you should see IP and hostname values for 'host'. So, if you tag events from host=10.X.X.X to MYSERVER1 and similarly tag events with host=SERVER1 to MYSERVER1, you can achieve the same.

what error/issue did you face?

0 Karma