Splunk Enterprise Security

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

donaldwayne1975
Path Finder

Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited.

Current header for the csv file is:

transport,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Proposing:

transport,src_ip,dest_ip,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Setup the example:

Let’s say we have two systems on our internal network, 172.1.1.15 (desktop) and 172.1.2.15(server). Bob, who uses the desktop 172.1.1.15 RDP’s to 172.1.2.15 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 172.1.1.0/24 or 172.1.1.*).

Example of default prohibited port definition:

tcp,unknown,*,,,3389,true,,deny_inbound_rdp_from_unknown

Example of proposed:

tcp,172.1.1.15,172.1.2.15,unknown,*,,,3389,false,,prohibit_inbound_rdp_from_unknown

Please let me know if more information is needed or there is a better way to address this item. Thank you in advance for your time.

0 Karma
1 Solution

nsmalley_splunk
Splunk Employee
Splunk Employee

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

View solution in original post

nsmalley_splunk
Splunk Employee
Splunk Employee

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...