Great question @MdSantana You can effectively whitelist events in Splunk, such as excessive failed logins and unusual new processes, by using the following methods: Suppression rules: To suppress these events, create a suppression rule in Splunk. Whitelist of source IP addresses: For these events, you can create a whitelist of source IP addresses. Use of "ignore" or "exclusion" lists: For these events, you can create an ignore or exclusion list. Use of event types: These events can be assigned specific event types. It should be noted that these methods should be used with caution, as they can also conceal legitimate security events. I recommend reading the Splunk documentation for more information on suppression rules, whitelist, ignore or exclusion lists, and event types: Suppression Rules: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Suppressionrules Whitelist: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Whitelist Ignore or Exclusion Lists: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Ignorelist Event Types: https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Abouteventtypes Let me know if you need help developing commands.
... View more