Obviously, I don't want Splunk to alert on high scanning activity from the Nessus systems as we expect them to scan. I am more concerned about systems that are performing scanning activity that are not my Nessus systems showing up in this list.
What is the best way to accomplish this? How would I whitelist the Nessus systems? Is a lookup best, or should I use the CIM and the data models?
I see two potential options for displaying these: 1) display only the unknown scanning systems or 2) colour the Nessus scanning systems as a green bar, and the unknown as red.
What is the best way to go about solving this problem?