Splunk Enterprise Security

Splunk Enterprise Security: Top Notable Event Sources: Whitelist

shandman
Path Finder

Is there a "simple" way to whitelist an IP address that is showing up in the "Top Notable Event Soucres", within Splunk Enterprise Security?

rkoster
Explorer

You can generate fewer notable events from that source IP address (i.e. tune the correlation searches that are triggering with that src) as Martin suggests or you can modify the report that is used to populate that panel (Report Name: Notable - Top Notable Event Sources).

| `es_notable_events` 
| search timeDiff_type=current src!=unknown src!="<whitelisted address>" 
| stats sparkline(sum(count),30m) as sparkline,dc(rule_name) as correlation_search_count,dc(security_domain) as security_domain_count,sum(count) as count by src 
| sort 100 - count,correlation_search_count
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Generate fewer notable events for that IP 😛

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!