Work with safelist libraries as a transformation
Intel Workflows lets you use Safelist Libraries as one of the possible transformations. This article explains how to create, edit, and delete those Safelist Libraries.
Add a safelist library
To create a new Safelist Library, follow this procedure:
- On the Transformations window of the Intel Workflow, click Add Safelist Library. This opens the Add Safelist Library window.
- Enter a name in the Safelist Library Name text field.
- Click Add Items on the right side of the window. This opens the Add Safelist Items window.
- In the left side text field, enter the values you want to add to the library. You can paste or type in a comma-separated string (no spaces). To add an IP range, use a network mask (for example: 126.96.36.199/24)
- When you finish entering items, click Analyze below the text box. This displays a list on the right side of the window of all the Observables extracted from your entries . You can sort items by Observable type
- Check the items you want to add to the Safelist and then click Add Safelist Items. This returns you to the Add Safelist Library window. To select all the items in the list, click the checkbox at the top of the list.
- Click Add Safelist Library to create the new library with the items you have selected. Do not add more than 5,000 items in a safelist library.
Edit a safelist library
Perform the following steps to edit a safelist library:
- Go to the Transformations window in the Intel Workflow.
- Click the more () icon in the safelist library, then choose Edit. This opens the Update Safelist Library window. You can then delete items or add new items to the list.
- If your Safelist library is long, you can search for specific items or use the Select box to filter the items by Observable type.
- To delete an item, click the trashcan icon on the right side of the box.
- To add an item, click Add Items and then follow steps 4-6 in the Adding a Safelist procedure above.
Delete a safelist library
Perform the following steps to delete a safelist library:
View a data set in Postman
Use the phishing triage workflow to automate suspicious email triage
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current