Splunk® Enterprise Security

Administer Splunk Enterprise Security

Create and manage safelist libraries in Splunk Enterprise Security

Create safelists in Splunk Enterprise Security to exclude particular indicators from your threat lists generated by the threat intelligence management (cloud) system. Safelists ensure that threat lists remove indicators containing specific terms or phrases.

Follow these steps to add a safelist library:

  1. In Splunk Enterprise Security, select Configure and then Intelligence.
  2. In the Threat intelligence management (cloud) section, select Safelist libraries.
  3. Select + Add safelist library.
  4. Enter a name for the safelist.
  5. Enter each item one by one, or select Add safelist items in bulk to enter a full list of safelist items.
  6. Select Save.

After you add safelist libraries, you can edit or delete them from the list of libraries by selecting the pencil icon or the trash can icon.

See also

For more information on threat intelligence management (cloud), see the product documentation:

Last modified on 25 September, 2024
Use the inputintelligence command to use generic intelligence in Splunk Enterprise Security   Turn on threat matching searches in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters