Solved: Re: How to prevent notable events from being creat...

waynemurraysgs · ‎08-26-2022

We have several devices that perform endpoint and network device scanning. As intended, they are scanning prohibited ports to verify they are not open, however the ESCU correlation searches , specifically the "Prohibited network Traffic Allowed" rule, is detecting thousands of these events each day.

How can I prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

Thank you.

Azeemering · ‎08-29-2022

Modify the correlation search to exclude the legitimate devices.

View solution in original post

starcher · ‎09-14-2022

This is why you should put devices into the Assets framework and label their category "known_scanner" then you can do like NOT src_category="known_scanner" into your search. So as you update assets new scanners don't trigger correlation searches.

Azeemering · ‎08-29-2022

Modify the correlation search to exclude the legitimate devices.

dokaas_2 · ‎10-09-2022

Correlation rules from sources such as ESCU will have a filter macro. For example, the rule "ESCU - Access LSASS Memory for Dump Creation - Rule" has a macro named "access_lsass_memory_for_dump_creation_filter". You should modify the macro rather than the rule itself.

Sometimes rules are updated in the ESCU. If one modifies the rule directly, the search will be saved in the 'local' folder and have precedence over an updated rule in the default folder.

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

correlation search

incident review

using Enterprise Security

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio