Whitelisting known good sources to avoid false positives
Hi, I want to avoid false positives that result from activity of my network vulnerability scanner (NVS). I have a watchlist for the NVS' IP addresses but not sure how to apply it. There are many views which include the types of things that the NVS triggers, like multiple failed logins. What's the most efficient way of applying the watchlist to NOT raise alerts for legitimate NVS activity? Thanks, Mark.
The best way to attack this is to set up a filter on your alert-event or correlation rule. In the operator dropdown list there will be options for "In Watchlist" and "Not In Watchlist". Apply the filter against a relevant address variable and that shoudl do the trick. There are a number of tutorials in the Blog Corner section of this board that have examples of adding filters to alert events and rules.
Thanks for your quick reply Matt. To clarify a little, we have a view configured that consists of multiple correlated rules. When I am viewing the 'Manage Views - Customize Alert Configuration' screen for the view I see many correlated rules, none of which have the option of configuring a filter. I thought perhaps I could do a 'bulk edit' by selecting them all, then adding a filter but that doesn't seem possible. Perhaps correlated rules shouldn't be used like this, combined into one view? I'm very new to configuring alerting and find the nomenclature very unintuitive. As per your suggestion I've watched an early, 'intro to alerting' demo from Dave Glover, which was quite good. I'll try and find the next one in the series now, though they require manual browsing. Searching for "tutorial" gets no hits. Having all the blog entries in only the one blog is not very convenient, as a user has to scroll through all the marketing type posts before finding a howto type post.