Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hide specific notables from IR (Incident review) in ES

splunkreal
Motivator
‎10-25-2024 01:12 AM

Hello, we would like to filter ES incident review and hide notables with TEST keyword by example, how to do? Thanks for your help

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jawahir007
Communicator
‎10-25-2024 02:16 AM

Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.

search_name!=*TEST*

jawahir007_0-1729847733395.png

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

Reply
Solved! Jump to solution

splunkreal
Motivator
2 weeks ago

Hello @jawahir007 how are you? Found out we can filter by search_title also, where can we find list of IR fields? Thanks for your help!

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

jawahir007
Communicator
‎10-25-2024 01:48 AM

You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details.

https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and_manage_notable_eve...

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎10-25-2024 01:55 AM

Hi @jawahir007  we don't want to suppress them just hide them based on saved filter.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution
Solution

jawahir007
Communicator
‎10-25-2024 02:16 AM

Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.

search_name!=*TEST*

jawahir007_0-1729847733395.png

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
Reply
Solved! Jump to solution

splunkreal
Motivator
‎10-25-2024 02:25 AM

Great thanks, it works with classic IR view 🙂

* If this helps, please upvote or accept solution if it solved *
Reply
Solved! Jump to solution

gargantua
Path Finder
2 weeks ago

I've done this little app in order to adress this specific use case :

https://github.com/kilanmundera/Custom-Annotations-Framework-for-Splunk-Enterprise-Security

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top