I currently have alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for x amount of time.
For example an alert for John Smith logging from Australia. Once I validate that this in fact John Smith, I want to write this entry to a lookup table and suppress any future alerts from him for lets a say 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.
index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
I have tried both suggestions at this time. Rewrote the alert and kept the original username field as is. However, all alerts are being suppressed as opposed to repeat user logins. Thinking the lookup table might be the more viable option here,
So I have tested this out for an entire week and unfortunately it suppressed ALL alerts which is not the desired outcome. I would like to be alerted for each different user and suppress alerts for that individual user for 7 days. Hope this makes sense.
I see you are renaming the field "username" to "User ID" in your search above.
So you should enter "User ID" in the field "Supress results containing field value".
(However, I'm not sure if spaces are accepted or if you have to use double quotes.)
I did try the User ID field initially, but not with the double quotes. I will try this and provide feedback.
If it doesn't work, then don't rename "username", or rename username to User_ID (without spaces).
whrg,
I will give this a try and validate over the next few days. Thanks
Instead of using a lookup table, how about using the throttle feature for alerts? You could throttle your alert based on the username.