Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Create Conditional Alerting based on Lookup Tables

jj39501
New Member
‎12-09-2018 01:58 PM

I currently have alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for x amount of time.

For example an alert for John Smith logging from Australia. Once I validate that this in fact John Smith, I want to write this entry to a lookup table and suppress any future alerts from him for lets a say 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.

index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv

0 Karma
Reply

jj39501
New Member
‎12-24-2018 07:29 PM

I have tried both suggestions at this time. Rewrote the alert and kept the original username field as is. However, all alerts are being suppressed as opposed to repeat user logins. Thinking the lookup table might be the more viable option here,

0 Karma
Reply

jj39501
New Member
‎12-16-2018 01:47 PM

So I have tested this out for an entire week and unfortunately it suppressed ALL alerts which is not the desired outcome. I would like to be alerted for each different user and suppress alerts for that individual ualt textser for 7 days. Hope this makes sense.

alert-triggers.png
Preview file
52 KB
0 Karma
Reply

whrg
Motivator
‎12-16-2018 11:34 PM

I see you are renaming the field "username" to "User ID" in your search above.
So you should enter "User ID" in the field "Supress results containing field value".
(However, I'm not sure if spaces are accepted or if you have to use double quotes.)

0 Karma
Reply

jj39501
New Member
‎12-17-2018 05:06 AM

I did try the User ID field initially, but not with the double quotes. I will try this and provide feedback.

0 Karma
Reply

whrg
Motivator
‎12-17-2018 05:18 AM

If it doesn't work, then don't rename "username", or rename username to User_ID (without spaces).

0 Karma
Reply

jj39501
New Member
‎12-10-2018 05:36 AM

whrg,

I will give this a try and validate over the next few days. Thanks

0 Karma
Reply

whrg
Motivator
‎12-10-2018 01:23 AM

Instead of using a lookup table, how about using the throttle feature for alerts? You could throttle your alert based on the username.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top