Splunk Enterprise Security

Splunk Enterprise Security: Top Notable Event Sources: Whitelist

shandman
Path Finder

Is there a "simple" way to whitelist an IP address that is showing up in the "Top Notable Event Soucres", within Splunk Enterprise Security?

rkoster
Explorer

You can generate fewer notable events from that source IP address (i.e. tune the correlation searches that are triggering with that src) as Martin suggests or you can modify the report that is used to populate that panel (Report Name: Notable - Top Notable Event Sources).

| `es_notable_events` 
| search timeDiff_type=current src!=unknown src!="<whitelisted address>" 
| stats sparkline(sum(count),30m) as sparkline,dc(rule_name) as correlation_search_count,dc(security_domain) as security_domain_count,sum(count) as count by src 
| sort 100 - count,correlation_search_count
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Generate fewer notable events for that IP 😛

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...