Splunk Enterprise Security

Splunk Web datamodel whitelisting

burakatabay
Path Finder

Hello Splunkers,

Trying to fix the Web data models in the CIM and would like to exclude a couple of IP addresses. However, I'm struggling to form a white list for those specific IP addresses.

I'm looking for any guidance links and resources towards creating whitelists, all help is appreciated.
Thanks, and Happy Splunking!

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Do you want to exclude IP's getting into datamodel? I would suggest to have IPs (e.g. src_ip) in the datamodel and have a category, say (web_blacklist_ips) in your asset data for those IPs. You can then create searches to exclude those Ips using the category.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...