Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

donaldwayne1975
Path Finder
‎10-19-2017 12:49 PM

Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated to have the src_ip and dest_ip columns to allow me to define acceptable usage of a port currently deemed prohibited.

Current header for the csv file is:

transport,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Proposing:

transport,src_ip,dest_ip,src_category,dest_category,src_pci_domain,dest_pci_domain,dest_port,is_prohibited,is_secure,note

Setup the example:

Let’s say we have two systems on our internal network, 172.1.1.15 (desktop) and 172.1.2.15(server). Bob, who uses the desktop 172.1.1.15 RDP’s to 172.1.2.15 once a month to do a report. Under the current configuration, Bob’s RDP access generates a notable event. We want to be able to put acceptable usage of a protocol in the lookup, so traffic that notable events are not created for acceptable usage. Also, would using wildcards possibly work on the src_ip and dest_ip values (example 172.1.1.0/24 or 172.1.1.*).

Example of default prohibited port definition:

tcp,unknown,*,,,3389,true,,deny_inbound_rdp_from_unknown

Example of proposed:

tcp,172.1.1.15,172.1.2.15,unknown,*,,,3389,false,,prohibit_inbound_rdp_from_unknown

Please let me know if more information is needed or there is a better way to address this item. Thank you in advance for your time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nsmalley_splunk
Splunk Employee
Splunk Employee
‎10-21-2017 10:15 AM

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

View solution in original post

Reply
Solved! Jump to solution
Solution

nsmalley_splunk
Splunk Employee
Splunk Employee
‎10-21-2017 10:15 AM

You can add additional fields to extend the capability of the lookups in ES. If/when you do this you will also want to do a couple additional things using the rough outline provided below:
1. Configure additional Fields in lookups and schedule lookup creation - http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Createsearchdrivenlookups
2. Configure Correlations searches to leverage lookup and scheduled Correlations Searches to create Notable Events -
http://docs.splunk.com/Documentation/ES/4.7.3/Admin/Configurecorrelationsearches

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...