Splunk Enterprise Security

Where is the documentation for whitelisting vulnerability scanners in ESS version 5.1.1?

horanman01
Explorer

Pretty straightforward question. The older guides aren't accurate, I want an up to date guide for doing this. Blah blah blah blah blah just writing to fill up the word length requirement.

0 Karma

mgaudie_splunk
Splunk Employee
Splunk Employee

If you're looking to whitelist your vulnerability scanner from correlation searches, your best bet is to use the asset and identify framework.

When you generate your asset list, you'd identify your vulnerability scanner by either IP Address, hostname, installed applications, etc etc, and give it a category of "scanner" or "known_scanner", or whatever you want. You'd then update the applicable correlation searches to not include anything where "category=scanner".

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Where do you want to whitelist the vulnerability scanners? In specific correlation searches, from threat lists, or what? Please provide some additional detail 🙂

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...