Security

How we can troubleshoot the ES Correlation Search for "non pdm alerts"?

AL3Z
Builder

Hello,
I have a significant number of Notables raised by the Non-pdm alerts correlation search.

The correlation search runs every 2 hours, triggers an alert when the user violates the policy
sourcetype=netskope earliest=-2h NOT (alert_name IN ("pdm", " External_Shared Files - Alert", "All DLP Policies"))
| stats dc(alert_name) as alert_count,values(_time) as incident_time by user
Throttling is set to 3 days duration what changes we need to make a less no. of notables to be raise?
Thanks..

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have a few options.

1) Train the users to not violate policy

2) Adjust policy to better reflect what users need to do

3) Modify the CS to filter out "uninteresting" events

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...