Splunk® Intelligence Management (Legacy)

User Guide

Use an auto-safelist to remove URLs and IPs that are not useful

Auto-safelist is the Splunk Intelligence Management feature that uses machine learning to identify URLs and IP addresses that are noisy and irrelevant and remove them from correlation count, graph visualization, dashboard results, and API responses. This provides better relevancy in your investigations by removing URLs and IPs that are not useful.

URLs and IP addresses account for a large majority of observables identified by Splunk Intelligence Management, so they are the current focus of the auto-safelist.

Splunk Intelligence Management's machine learning models use three types of information when making decisions about what to include on the auto-safelist:

  • Contextual features: The words surrounding the observable. This is why the capability applies at the report level.
  • Lexical features: The types of characters present in the observable.
  • Third-party features: The values returned from third-party sources, such as the domain reputation.

What is the difference between the auto-safelist and the company safelist?

The auto-safelist uses contextual data around the observable at the report level. If an observable is automatically added to the Auto-Whitelist from a report created this month, it could still appear in a future report if the context changes.

When you manually add an observable to the company safelist, it will never be seen again in your reports or searches.

Can I undo an auto-safelist decision?

Yes, as long as you have read-write capabilities for the Enclave(s) containing the report. If you have these permissions, you can click on the red X button to revert the automated decision. This action affects all Enclaves associated with that report. For example, if you revert the Auto-Whitelist decision for an observable, it will appear as a malicious observable in all Enclaves associated with the report and it will be counted in the correlation count and appear in the graph visualization, dashboard results, and API responses.

Last modified on 21 April, 2022
Extract MITRE ATT&CK techniques and tactics from premium intelligence sources   Use enclaves to organize your intelligence sources

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters