topic Re: Noteable Event Supression in Splunk Enterprise Security

Noteable Event Supression

Rhidian — Wed, 17 Jul 2024 12:53:46 GMT

Is it possible to use a lookup file in the Noteble Event supression say to look up a list of assets/enviroments that we do/don't want to know about?

Re: Noteable Event Supression

bowesmana — Wed, 17 Jul 2024 22:41:50 GMT

When you talk about Notable event suppression, I assume you are talking about the Notable Event Suppression action in the Incident Review.

If you want to whitelist/blacklist certain assets, then you should add the lookup logic to the correlation search that has caused the notable event in the first place.

You cannot add lookup logic to the event type search ES creates for the suppression logic.

Re: Noteable Event Supression

inventsekar — Thu, 18 Jul 2024 01:40:59 GMT

Last month we were working on a Splunk ES Demo and i found out that we can not delete a notable.

either i have not understood the ES yet or the ES developers are really funny, lol !

Re: Noteable Event Supression

Rhidian — Thu, 18 Jul 2024 07:58:07 GMT

Thanks, I wanted to avid that as I would need to updated a lot of correlation searches. Any idea why this isn'g possible as the search looks like standard SPL?

Re: Noteable Event Supression

bowesmana — Fri, 19 Jul 2024 00:40:22 GMT

Unfortunately event type searches cannot contain any pipelines, so it has to be simply a raw search fragment