Allowlisting

Overview

To reduce the amount of false positives an analyst is dealing with, allowlists can be used to tell detections not to create alerts if certain criteria are met. The criteria includes matching certain artifacts of alerts such as source.ip or destination.ip, and port, and a time window when the allowlist would be active.

Allowlists can be created for default (Scala) detections, custom DSL detections, and DSL feed (system-wide) detections. Allowlists cannot be shared between detections, meaning, each allowlist corresponds to exactly one detection. Detection can have multiple allowlists. Allowlists cannot not exist without detection.

Supported fields for Allowlisting as of 23.11 are:

• query.name
• server.ip
• client.ip
• url
• layer
• path
• domain.primary
• server.port
• client.ja3
• userAgent
• ip4Origin

Allowlists Management Page

The main area for security allowlists is the Allowlists management page.
Here, an analyst can overview all the allowlists available for editing. Allowlists created by Smart Incident Management will also be shown here until rejected.

Use the table to select the allowlist you want to manage or search by Detection name to narrow down the list. Once clicked, the allowlist would appear for editing on the right side panel, which resembles default side-panel view for allowlists and enables you to:

• delete the allowlist
• change the detection this allowlist is applicable to
• change the description of the allowlist
• alter the conditions for the allowlist
• select and update the time window for this allowlist

When clicking the existing condition or the + Conditions button, the popup window will be shown with an option to add more conditions to the allowlist.

Time conditions are templates of working hours schedule when the allowlist would be applied. Those can be removed if needed, as they are not tied to the allowlists directly and just provide predefined templates instead.

The Save template checkbox can be used to add new template to the shared list when the allowlist will be saved.

Selecting an allowlist with the Action required badge lets you see the automatically-created allowlist (via Smart Incident Management) that waits for approval.

Here, you would be prompted to either accept or decline the allowlist. Accepting converts the allowlist to a usual allowlist, and enables further changes, which are not possible until accepted. Declining removes that allowlist from the table but retains it in the database for Smart Incident Management learning purposes. The allowlist would not be applied to the detection.

Allowlisting on Alerts Overview

It is possible to allowlist alerts from the alert overview directly. After selecting an alert, the Allowlist button is enabled; it will open the Allowlists window.

The Allowlists window enables viewing of existing allowlists for the detection of the selected alert and creating a new one.

When this window is opened, the user is presented with ability to create a new allowlist for the detection. The available allowlists are listed on the left side of the window under the detection name. To view the allowlist, click it on the left side and its details will be shown on the right side of the window.
The allowlist description is available under detection name.
It is not possible to change the detection for an existing allowlist from this window.

This window also features suggested conditions: those are taken from the opened alert so it’s easier to add to allowlist the artifact of the alert of interest. To add a suggested condition to the allowlist, click the + button on the right side of the condition.

Applied conditions are separated from suggested ones via horizontal divider. Applied conditions can be edited by clicking or removed by using the x button. New conditions can be added using the + Conditions button. If condition has more than one value, it would be indicated.

Allowlists on Detections Page

Allowlists are also visible when selecting the detection on Detections page. If such detection has allowlists, those will be shown under the detection configuration and can be expanded to view more details, edited, or removed. Removing an allowlist will delete it, rather than only removing it from the detection.

Allowlists on Security Assets

Allowlists are also shown per asset if such asset is mentioned in the allowlist conditions. That is, if the allowlist condition contains the IP of the asset, such asset will show this allowlist.