2 Replies Latest reply on Dec 9, 2015 7:32 PM by rbroom

    Whitelisting a scanner?

    rbroom

      I'd like to whitelist some of our security devices that scan and probe the rest of the systems in the environment.  I haven't been able to find how Intel would like us to do this.  I HAVE set up a Whitelist watch list, which works for alerts and canned reports, but doesn't work for the canned dashboard views like "Incidents" - the security scanning we're doing skews all the results.

       

      Thanks for sharing!

        • 1. Re: Whitelisting a scanner?
          andy777

          Hi - I think you have the following options:

           

          1. Edit the default views to incorporate the whitelist. You can save them as Custom and even go so far as to hide the default views or put them in a folder.

          2. Make use of Filters. The settings of the Global Filter can be saved and also set as default. The filter can be changed and you can then "Restore Default" to apply it again.

          3. Whitelist the scanner in other tools to reduce the events they create about the scanner.

          4. Apply a Filter Rule at the Receiver to drop all of the events created by the scanner.

           

          There will be some quirks with the first two options where some of the components of the view won't be as fast as you would like.

           

          Option 3 may be reasonable depending upon your environment and security policies. It could be something like adjusting the GPO for the Windows FWs or creating a logging exception rule in the FW for the scanner. This could be untenable could become unmanageable depending upon what's creating the alerts.

           

          Option 4 is probably the path of least resistance and maximum impact. You can create filters at the Receivers to drop events from all devices that include the scanner's IP address. This saves SIEM resources all the way around.

           

          Thanks.

          • 2. Re: Whitelisting a scanner?
            rbroom

            Thanks Andy, I think all four options are useful, but as you said, 3 and 4 (particularly) will have the biggest bang for the buck.

             

            Thank you!