I have question about throttling in correlation searches. I understand how throttling works, but I need something more... What I mean:
I have correlation search with some response actions (create notable event and create SNOW ticket). Throttling is configured - window duration is 1 hour and fields to group by are "user" and "dest". So, for example, if user would be user1 and destination would be dest1 and response actions are triggered, no more response actions for given combination of user1 and dest1 will be triggered for the next 1 hour. Fine.
My question is: imagine that response actions for (user1, dest1) were triggered. Is there any way how to set Splunk to suppress response actions for (user1, dest1) for i.e. next 1 week, but keep window duration 1 hour for all other combinations of (user,dest)?
Use case for this would be: imagine SOC analyst, investigating alert for (user1,dest1), reveals the root cause of this, but it cannot be fix up immediately and alert for (user1, dest1) will be generated for next few days. Which is annoying, so analyst would like to have option to suppress alerts just for (user1,dest1) for next few days.
Yes you can. But it's a bit of a manual effort, but worth the effort. The supression for 1 hour for user and dest will remain as it is in your alert's throttling. Now let's assume that user=Adam and dest=abc.
A notable event is fired for this and is now in your incident review dashboard. You triage and decide to send it for remediation, as the system is infected by a malware, which will take 7 days. To enable suppression for these particular values of user and dest, follow these steps:
1. In Incident review dashboard, find the Incident.
2. Click on Actions tab's dropdown, belonging to this notable event, using which you decided to invoke supression.
3. Select Supress Notable Events.
4. Name your suppression whatever you want and set the duration for the suppression. In your case, for the next 7 days. Select the date range accordingly.
5. Selected fields option will be greyed out, but look at it's description and click change.
6. Verify if the values of user and dest are the same that you intended to, which should be the case as we properly chose the notable. If not, I'd recommend searching the notable properly, instead of modifying. That should be the last resort.
7. If you're happy with everything, click save.
This will make sure that for a particular user and dest, you won't see a notable event for the next 7 days for this particular alert only. If the same user and dest are found in some other alert, let's say DLP Violations, you'll get an notable event. For the rest of the notable events, throttling remains at 1 hour.
Let me know if this helps and how this works out. If it does, please mark this as an accepted answer.
Hi, thank you for your reply, it is useful hint. I have one more question - is there any way how to suppress not only Notable event, but all Response actions? If I have correlation search with 2 response actions ( i.e. Notable event and Create SNOW ticket), is there any simple way how to suppress both?