https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426819#M5450 <P>whrg,</P> <P>I will give this a try and validate over the next few days. Thanks</P> Mon, 10 Dec 2018 13:36:25 GMT jj39501 2018-12-10T13:36:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426817#M5448 <P>I currently have alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for x amount of time.</P> <P>For example an alert for John Smith logging from Australia. Once I validate that this in fact John Smith, I want to write this entry to a lookup table and suppress any future alerts from him for lets a say 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this. </P> <P>index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country <BR /> |eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") <BR /> | rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device<BR /> | sort Last<BR /> | inputlookup append=t mylookup.csv<BR /> | outputlookup mylookup.csv</P> Tue, 29 Sep 2020 22:19:36 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426817#M5448 jj39501 2020-09-29T22:19:36Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426818#M5449 <P>Instead of using a lookup table, how about using the throttle feature for alerts? You could throttle your alert based on the username.</P> Mon, 10 Dec 2018 09:23:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426818#M5449 whrg 2018-12-10T09:23:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426819#M5450 <P>whrg,</P> <P>I will give this a try and validate over the next few days. Thanks</P> Mon, 10 Dec 2018 13:36:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426819#M5450 jj39501 2018-12-10T13:36:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426820#M5451 <P>So I have tested this out for an entire week and unfortunately it suppressed ALL alerts which is not the desired outcome. I would like to be alerted for each different user and suppress alerts for that individual u<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6213i7DB4370D500B8684/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span>ser for 7 days. Hope this makes sense.</P> Sun, 16 Dec 2018 21:47:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426820#M5451 jj39501 2018-12-16T21:47:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426821#M5452 <P>I see you are renaming the field "username" to "User ID" in your search above.<BR /> So you should enter "User ID" in the field "Supress results containing field value".<BR /> (However, I'm not sure if spaces are accepted or if you have to use double quotes.)</P> Mon, 17 Dec 2018 07:34:26 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426821#M5452 whrg 2018-12-17T07:34:26Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426822#M5453 <P>I did try the User ID field initially, but not with the double quotes. I will try this and provide feedback.</P> Mon, 17 Dec 2018 13:06:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426822#M5453 jj39501 2018-12-17T13:06:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426823#M5454 <P>If it doesn't work, then don't rename "username", or rename username to User_ID (without spaces).</P> Mon, 17 Dec 2018 13:18:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426823#M5454 whrg 2018-12-17T13:18:39Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426824#M5455 <P>I have tried both suggestions at this time. Rewrote the alert and kept the original username field as is. However, all alerts are being suppressed as opposed to repeat user logins. Thinking the lookup table might be the more viable option here, </P> Tue, 25 Dec 2018 03:29:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-Create-Conditional-Alerting-based-on-Lookup-Tables/m-p/426824#M5455 jj39501 2018-12-25T03:29:13Z