Hello All !,
Kindly help me to find a solution for this.
I need to whitelist the list of hosts ( the host count is >1220 and may add further) from all alerts.
Field name for host is varying as per correlation search. I have been trying the below options for somedays:
1. Upload the list as Lookup table and whitelist through lookup in all correlation rule (which will cause retroactive alerts)
2. Suppression Rule - Since the host field name is different for each rule, i need to write the suppression rule for each correlation rule.
3. Single Suppression rule - Am not clear how to get the values of hosts in all correlation searches and map into a single field, and then search the values.
Currently am trying to write a query to get the host values from `notable` and compare the values.
`notable` | fillnull value=0 Hostname,dest_host,nt_host,Computer_Name | eval whitelist_host=if(Hostname!=NULL, Hostname, if(dest_host!=NULL, dest_host, if(nt_host!=NULL, nt_host,Computer_Name))) | table whitelist_host search_name Hostname dest_host nt_host Computer_Name | dedup whitelist_host
`notable` | eval gifted_host=coalesce(coalesce(Hostname,dest_host),nt_host) | table gifted_host | dedup gifted_host
Please let me know for any suggestions or if we have any other option.