Splunk Enterprise Security
Highlighted

Where is the documentation for whitelisting vulnerability scanners in ESS version 5.1.1?

Explorer

Pretty straightforward question. The older guides aren't accurate, I want an up to date guide for doing this. Blah blah blah blah blah just writing to fill up the word length requirement.

0 Karma
Highlighted

Re: Where is the documentation for whitelisting vulnerability scanners in ESS version 5.1.1?

Splunk Employee
Splunk Employee

Where do you want to whitelist the vulnerability scanners? In specific correlation searches, from threat lists, or what? Please provide some additional detail 🙂

0 Karma
Highlighted

Re: Where is the documentation for whitelisting vulnerability scanners in ESS version 5.1.1?

Splunk Employee
Splunk Employee

If you're looking to whitelist your vulnerability scanner from correlation searches, your best bet is to use the asset and identify framework.

When you generate your asset list, you'd identify your vulnerability scanner by either IP Address, hostname, installed applications, etc etc, and give it a category of "scanner" or "known_scanner", or whatever you want. You'd then update the applicable correlation searches to not include anything where "category=scanner".

0 Karma