Splunk® Intelligence Management (Legacy)

User Guide

Work with safelist libraries as a transformation

Intel Workflows lets you use Safelist Libraries as one of the possible transformations. This article explains how to create, edit, and delete those Safelist Libraries.

Add a safelist library

To create a new Safelist Library, follow this procedure:

  1. On the Transformations window of the Intel Workflow, click Add Safelist Library. This opens the Add Safelist Library window.
  2. Enter a name in the Safelist Library Name text field.
  3. Click Add Items on the right side of the window. This opens the Add Safelist Items window.
  4. In the left side text field, enter the values you want to add to the library. You can paste or type in a comma-separated string (no spaces). To add an IP range, use a network mask (for example: 123.54.21.13/24)
  5. When you finish entering items, click Analyze below the text box. This displays a list on the right side of the window of all the Observables extracted from your entries . You can sort items by Observable type
  6. Check the items you want to add to the Safelist and then click Add Safelist Items. This returns you to the Add Safelist Library window. To select all the items in the list, click the checkbox at the top of the list.
  7. Click Add Safelist Library to create the new library with the items you have selected. Do not add more than 5,000 items in a safelist library.

Edit a safelist library

Perform the following steps to edit a safelist library:

  1. Go to the Transformations window in the Intel Workflow.
  2. Click the more (the more icon) icon in the safelist library, then choose Edit. This opens the Update Safelist Library window. You can then delete items or add new items to the list.
    • If your Safelist library is long, you can search for specific items or use the Select box to filter the items by Observable type.
    • To delete an item, click the trashcan icon on the right side of the box.
    • To add an item, click Add Items and then follow steps 4-6 in the Adding a Safelist procedure above.

Delete a safelist library

Perform the following steps to delete a safelist library:

  1. Go to the Transformations window in the Intel Workflow.
  2. Click the more (the more icon) icon in the safelist library, then choose Delete. This displays a confirmation dialog box. Click Remove Safelist to confirm that you want to delete the selected Safelist Library.
Last modified on 21 April, 2022
Review a data set in Postman   Use the phishing triage workflow to automate suspicious email triage

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters