Splunk Enterprise Security

Hide specific notables from IR (Incident review) in ES

splunkreal
Motivator

Hello, we would like to filter ES incident review and hide notables with TEST keyword by example, how to do? Thanks for your help

* If this helps, please upvote or accept solution if it solved *
0 Karma
1 Solution

jawahir007
Communicator

Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.

search_name!=*TEST*

jawahir007_0-1729847733395.png

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

splunkreal
Motivator

Hello @jawahir007 how are you? Found out we can filter by search_title also, where can we find list of IR fields? Thanks for your help!

* If this helps, please upvote or accept solution if it solved *
0 Karma

jawahir007
Communicator

You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details.

https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and_manage_notable_eve...

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma

splunkreal
Motivator

Hi @jawahir007  we don't want to suppress them just hide them based on saved filter.

* If this helps, please upvote or accept solution if it solved *
0 Karma

jawahir007
Communicator

Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.

search_name!=*TEST*

jawahir007_0-1729847733395.png

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

splunkreal
Motivator

Great thanks, it works with classic IR view 🙂

* If this helps, please upvote or accept solution if it solved *

gargantua
Path Finder

I've done this little app in order to adress this specific use case :

https://github.com/kilanmundera/Custom-Annotations-Framework-for-Splunk-Enterprise-Security

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...