Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude specific user and tag from an alert?

tstewartpf
New Member
‎07-25-2019 01:23 PM

I've created a GuarDuty finding alert in splunk but I want to exclude any findings from the alert that have specific Value or "tags" associated with regular maintenance scanning. Example would be when I look at the finding from an alert under Event actions I see detail.resource.instanceDetails.tags{}.value and there are some specific values that i have tagged that finding and I would love those not to be reported in the Alert I created.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 01:56 AM

Hi tstewartpf,
could you share your search?
the way to proceed is to modify your search with the tags and users to exclude.
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-26-2019 12:27 PM

See here if using Enterprise Security (there is a feature for that):
https://docs.splunk.com/Documentation/Splunk/latest/Alert/ThrottleAlerts

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 01:56 AM

Hi tstewartpf,
could you share your search?
the way to proceed is to modify your search with the tags and users to exclude.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

tstewartpf
New Member
‎07-26-2019 07:37 AM

This is my search:

sourcetype="aws:cloudwatch:guardduty" host=serverless

It reports back any GuardDuty activity which is fantastic, but now I want to limit a few activities it reports on... such as activities from known user or known monitoring systems.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 07:42 AM

Hi tstewartpf,
At first, insert always in your searches the index so your search is faster!
Then try something like this:

index=my_index sourcetype="aws:cloudwatch:guardduty" host=serverless NOT (user=user1 OR user=user2)
| ...

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

tstewartpf
New Member
‎07-25-2019 01:35 PM

I forgot to mention if the alert is from a specific user or account I would want to exclude as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...