Splunk Enterprise Security

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

Path Finder

Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited.

Current header for the csv file is:

transport,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Proposing:

transport,src_ip,dest_ip,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Setup the example:

Let’s say we have two systems on our internal network, 172.1.1.15 (desktop) and 172.1.2.15(server). Bob, who uses the desktop 172.1.1.15 RDP’s to 172.1.2.15 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 172.1.1.0/24 or 172.1.1.*).

Example of default prohibited port definition:

tcp,unknown,*,,,3389,true,,deny_inbound_rdp_from_unknown

Example of proposed:

tcp,172.1.1.15,172.1.2.15,unknown,*,,,3389,false,,prohibit_inbound_rdp_from_unknown

Please let me know if more information is needed or there is a better way to address this item. Thank you in advance for your time.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

View solution in original post

Splunk Employee
Splunk Employee

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!