Skip to content

Instantly share code, notes, and snippets.

@jpclipffel

jpclipffel/Splunk - Alert whitelist example.md

Last active November 3, 2018 08:48
Show Gist options
  • Save jpclipffel/55e5b250232e91500bd4eeb8ce11cf8b to your computer and use it in GitHub Desktop.
Save jpclipffel/55e5b250232e91500bd4eeb8ce11cf8b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Splunk - Alert whitelist example.md

Splunk - Simple alert whitelist

Whitelist definition

The CSV defines two columns:

  • alert_name: The Splunk alert on which the whitelisted IP (next column) is applied
  • The second column name must match with the alert field to whitelist

Example - src_ip_whitelist.csv

alert_name,      src_ip
my_splunk_alert, 192.168.1.42
my_splunk_alert, 10.0.0.0/16
other_alert,     172.16.10.11

Alert definition

Alert body

Collect events tagged as Intrusion Detection and format the results. Notice the fields src_ip and dest_ip on which we'll apply the whitelist later.

| datamodel Intrusion_Detection IDS_Attacks search
| `drop_dm_object_name(IDS_Attacks)`
| table detection_time src_ip dest_ip asset description

Whitelist

Perform a negative subsearch on the whitelist(s).

| search NOT [inputlookup src_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields src_ip]
| search NOT [inputlookup dest_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields dest_ip]

Complete alert

| datamodel Intrusion_Detection IDS_Attacks search
| `drop_dm_object_name(IDS_Attacks)`
| table detection_time src_ip dest_ip asset description
| search NOT [inputlookup src_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields src_ip]
| search NOT [inputlookup dest_ip_whitelist | where match(alert_name, "my_splunk_alert") | fields dest_ip]
@jpclipffel
Copy link
Author

Moved text to Markdown with code blocks.
Added description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment