How do I effectively whitelist events like excessi...

MdSantana · ‎02-09-2023

Hello,

How do I effectively whitelist events like excessive failed logins, and abnormal new processes? These are known, non malicious issues in our network that generate a lot of hits that do not amount to anything upon extensive investigation.

Thanks in advance.

2MuchC0ff33 · ‎02-15-2023

@MdSantana, Could you try manually creating the suppression rule by adding it to your Splunk configuration's transforms.conf file?

MdSantana · ‎02-16-2023

Still doesn't work.

I really don't understand what the problem is with my search when it parses correctly in the search app, but fails in the new suppression wizard.

2MuchC0ff33 · ‎02-09-2023

Great question @MdSantana

You can effectively whitelist events in Splunk, such as excessive failed logins and unusual new processes, by using the following methods:

Suppression rules: To suppress these events, create a suppression rule in Splunk.
Whitelist of source IP addresses: For these events, you can create a whitelist of source IP addresses.
Use of "ignore" or "exclusion" lists: For these events, you can create an ignore or exclusion list.
Use of event types: These events can be assigned specific event types.

It should be noted that these methods should be used with caution, as they can also conceal legitimate security events. I recommend reading the Splunk documentation for more information on suppression rules, whitelist, ignore or exclusion lists, and event types:

Suppression Rules: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Suppressionrules
Whitelist: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Whitelist
Ignore or Exclusion Lists: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Ignorelist
Event Types: https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Abouteventtypes

Let me know if you need help developing commands.

MdSantana · ‎02-10-2023

Thank you 2MuchC0ff33.

I did a lot of searching to try and make sure I would only be whitelisting confirmed non malicious stuff while still allowing Splunk to do its job.

However, I have run into an issue while suppressing. Apparently my search cannot be parsed correctly. Here it is;

| from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="!exec: enable"

Not sure what the issue is, but any help is appreciated.

Thank you again!

2MuchC0ff33 · ‎02-12-2023

Hi @MdSantana

Using the "!" character in the search expression could be the source of the problem with the search query. In Splunk, the "!" character is used to negate a search term, so "!exec: enable" would match events where the value of the "command" field does not contain the string "exec: enable".

You could try escaping the "!" character by adding a backslash in front of it, as shown below:

| from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="\!exec: enable"

If this does not solve the problem, try replacing the "!" character with the "!" sequence, as shown below:

| from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="\\!exec: enable"

MdSantana · ‎02-13-2023

Hi @2MuchC0ff33 ,

Its strange because when I run a normal search string outside of the New Suppression setup wizard/box I get no errors.

But when I input the same thing into the box and attempt to save, I get the error.

Nonetheless, unfortunately neither one worked and I still can't figure out why it won't accept the string.

How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

using Splunk Enterprise

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

How do I effectively whitelist events like excessive failed logins, and abnormal new processes?

using Splunk Enterprise

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!