Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

donaldwayne1975
Path Finder
‎10-19-2017 12:49 PM

Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited.

Current header for the csv file is:

transport,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Proposing:

transport,src_ip,dest_ip,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Setup the example:

Let’s say we have two systems on our internal network, 172.1.1.15 (desktop) and 172.1.2.15(server). Bob, who uses the desktop 172.1.1.15 RDP’s to 172.1.2.15 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 172.1.1.0/24 or 172.1.1.*).

Example of default prohibited port definition:

tcp,unknown,*,,,3389,true,,deny_inbound_rdp_from_unknown

Example of proposed:

tcp,172.1.1.15,172.1.2.15,unknown,*,,,3389,false,,prohibit_inbound_rdp_from_unknown

Please let me know if more information is needed or there is a better way to address this item. Thank you in advance for your time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nsmalley_splunk
Splunk Employee
Splunk Employee
‎10-21-2017 10:15 AM

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

View solution in original post

Reply
Solved! Jump to solution
Solution

nsmalley_splunk
Splunk Employee
Splunk Employee
‎10-21-2017 10:15 AM

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...