Thank you for the reply!
do you mean the Comodo IP is flagged as a suspected C2 communication or it shows up under IDS/IPS?
It shows up under IDS/IPS as a suspected scanning attack.
If it is showing up as an intrusion on IDS/IPS reports, another intrusion detection mechanism in your environment is picking the IP as an intrusion;
Yes - this is flagged by our Fortinet firewall. I am working with the network admin to whitelist the IP on the firewall level, but I suspect I will continuously run into items like that as we build our infrastructure out. I am looking for a method of handling this from the Splunk side as well as the firewall side.
If the IP is showing up under suspected C2 communication, one of simple ways to filter out an IP:
| tstats summariesonly=true allow_old_summaries=true dc(IDS_Attacks.signature) as attack_count from datamodel=Intrusion_Detection.IDS_Attacks where * IDS_Attacks.severity=* by IDS_Attacks.src
| rename "IDS_Attacks.src" as src, "IDS_Attacks." as ""
| sort 5 - attack_count
| search "src"!=2.2.2.2
This works for the dashboard, but the correct solution is to modify the firewall config.
... View more