Hi All,
We recently installed Grayolg in our organisation. We have a tool for scanning vulnerabilities for our environment. We set up rule for SSH. Is there a way/steps how I can exclude that server from alert messaging?
Thanks
Easiest way is with a pipeline rule. However, from a security standpoint - remember pentesters love abusing vuln scanners (I certainly do). So, you may want to include logic that indicates it is definitely from the vuln scanner, or that you send up all kinds of alerts if that account is used for anything outside the norm.
Quick and Dirty
rule "drop_vuln_scanner"
when
has_field("source_ip") AND
$message.source_ip == "10.10.10.10"
then
drop_message();
end
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.