Splunk Alert - best practice input

iherb_0718 · ‎12-20-2020

Hello Splunkers,

I just wanted to have someone give me best practice input.

My scenario is that I have threat intelligence coming in from Threatconnect. The index is "threatconnect". Threatconnect is auto-tagging any IOCs related to the solarwinds breach as "solarwinds breach" and I've seen other tags come in with the word "solarwinds" so I will wildcard it. The event which this comes in under is in field "event.ts_detail".

I run this search and I see activity:

index=threatconnect event.ts_detail=*solarwinds*

However, all the activity I am seeing is an IP brute forcing us constantly. It comes in as this field event.src=45.129.33.129

Therefore, I created an alert with this search which runs every hour:

index=threatconnect event.ts_detail=*solarwinds* event.src!=45.129.33.129

My question to you:

Is this best practice to set the alert and ignore something that I don't care about (IP 45.129.33.129 since it's only probing).

Would you do it differently?

iherb_0718 · ‎12-20-2020

I believe I'm better off with putting the exclusions from an input table so that it will be easier for me to exclude additional IPs.

Suppose I make the exclusion as a lookup file called: Solarwinds_whitelist_IOC.csv

What would the syntax be for me to call on this input table to NOT include?

Splunk Alert - best practice input

configuration

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!