topic Re: Where can I view created notable alert suppression entries in ES? in Splunk Enterprise Security

Where can I view created notable alert suppression entries in ES?

hperez — Wed, 23 Nov 2022 13:23:04 GMT

Hello,

Where can I view notable alert suppression entries in ES? I'm looking for a way to not only audit these entries but also remove them.

Re: Where can I view created notable alert suppression entries in ES?

richgalloway — Wed, 23 Nov 2022 19:29:01 GMT

You can view and disable notable event suppressions at Configure->Incident Management->Notable Event Suppressions. I'm not aware of a way to delete a suppression, but disabling them should have the same effect.

Re: Where can I view created notable alert suppression entries in ES?

starcher — Mon, 12 Dec 2022 14:09:29 GMT

Rich gave the stock answer.

If you also want to make a search start with this.

| rest splunk_server=local servicesNS/-/-/saved/eventtypes | search title=notable_suppression-* disabled=0 | rename eai:acl.app as app, title as object, search as command, updated as last_updated_readable | table disabled, app, object, description, last_updated_readable, command | eval _time=strptime(last_updated_readable,"%Y-%m-%dT%H:%M:%S%z") | eval isRecent=if(_time>relative_time(now(),"-1h"),true(),null()) | where isnotnull(isRecent) | rex field=command "_time\>(\=){0,1}(?P<start_time>\d+)" | eval start_time_readable=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%f%z") | rex field=command "_time\<(\=){0,1}(?P<end_time>\d+)" | eval end_time_readable=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%f%z") | eval end_time_large=if(end_time>relative_time(now(),"+90d"),true(),null()) | eval duration=end_time-start_time | `uptime2string(duration,duration_readable)` | append [ search eventtype=suppression_audit | fillnull value=unknown suppression, status, user | fillnull value=modified action | table _time, suppression, action, status, user | eval object="notable_suppression-".suppression] | eventstats values(user) as user, values(action) as action, values(status) as status by object | where isnull(suppression) | fillnull value=modified action | fillnull value=unknown user | rex mode=sed field=action "s/create/created/" | rex mode=sed field=action "s/edit/modified/" | `get_identity4events(user)` | fields - command

Re: Where can I view created notable alert suppression entries in ES?

aakwah — Tue, 20 Dec 2022 10:20:19 GMT

You can delete Suppressions from "Event types" page.

Re: Where can I view created notable alert suppression entries in ES?

lblystone — Fri, 06 Jan 2023 17:43:25 GMT

You can delete notable event suppressions by going to Settings > eventtypes and searching for the suppression that you want to delete. Here is the link to the Splunk doc on that: https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Customizenotables

However for tracking/audit purposes, it is probably better to just disable them.