topic Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation? in Splunk Enterprise Security

Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

mgrosholz — Fri, 10 Jun 2016 18:45:59 GMT

I have a notable event seen in Splunk Enterprise Security's Security Posture dashboard.

I have reviewed it and determined it to be a false positive.
I want to remove it from view on the Security Posture dashboard.

Is there any way to do this?

Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

esix_splunk — Sat, 11 Jun 2016 03:34:55 GMT

In the current form, there is no easy way to delete a notable event. The basic idea here is that event your false positives, you want to categorize. So you could create a new class for false positives and classify these notables into this.

See here : http://docs.splunk.com/Documentation/ES/4.1.1/User/NotableEvents

If you're really looking to delete the events, you'll need to look at the incident_review and notables macros, and where they are pulling the data from. In the latest versions of ES, notables are stored between KVStore, lookup files, and summary indexes..

Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

mgrosholz — Mon, 13 Jun 2016 12:18:10 GMT

I don't want to make all the alerts false positives. Just the specific event that was investigated.

Would grouping them into a new class push all like events there? Or just that event?

Also, deleting the events, as you mentioned above, would delete all the notable events of the same kind; correct?

Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

esix_splunk — Thu, 16 Jun 2016 00:46:16 GMT

You can go through the events singularly, and either mark them as false / true, or delete them.

Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

supreetsingh — Thu, 16 Jun 2016 18:49:31 GMT

Click the Edit-> Edit Panels in the Security Posture Dashboard.
Under the Top Notable Events, click the search report and select Notable-Top Events and select Open in Search. Add status_group="New" to this search:

| `es_notable_events` | search timeDiff_type=current status_group="New" | stats sparkline(sum(count),30m) as sparkline,sum(count) as count by rule_name | sort 100 - count

Click Save, Save Dashboard. click Done
The Security Posture Dashboard will only show New Notable events

Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

Azeemering — Fri, 15 Jun 2018 09:06:47 GMT

What you could try is index=notable rule_title="your_notable_event_title" | delete

Re: Splunk Enterprise Security: How to remove a notable event from the "Security Posture" dashboard after investigation?

apcsplunk — Thu, 28 Nov 2019 05:00:11 GMT

This worked for me 🙂

index=notable search_name="*your notable title*" | delete