Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Create Conditional Alerting based on Lookup Tables

jj39501
New Member
‎12-09-2018 01:58 PM

I currently have alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for x amount of time.

For example an alert for John Smith logging from Australia. Once I validate that this in fact John Smith, I want to write this entry to a lookup table and suppress any future alerts from him for lets a say 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.

index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv

0 Karma
Reply

jj39501
New Member
‎12-24-2018 07:29 PM

I have tried both suggestions at this time. Rewrote the alert and kept the original username field as is. However, all alerts are being suppressed as opposed to repeat user logins. Thinking the lookup table might be the more viable option here,

0 Karma
Reply

jj39501
New Member
‎12-16-2018 01:47 PM

So I have tested this out for an entire week and unfortunately it suppressed ALL alerts which is not the desired outcome. I would like to be alerted for each different user and suppress alerts for that individual ualt textser for 7 days. Hope this makes sense.

Preview file
1 KB
0 Karma
Reply

whrg
Motivator
‎12-16-2018 11:34 PM

I see you are renaming the field "username" to "User ID" in your search above.
So you should enter "User ID" in the field "Supress results containing field value".
(However, I'm not sure if spaces are accepted or if you have to use double quotes.)

0 Karma
Reply

jj39501
New Member
‎12-17-2018 05:06 AM

I did try the User ID field initially, but not with the double quotes. I will try this and provide feedback.

0 Karma
Reply

whrg
Motivator
‎12-17-2018 05:18 AM

If it doesn't work, then don't rename "username", or rename username to User_ID (without spaces).

0 Karma
Reply

jj39501
New Member
‎12-10-2018 05:36 AM

whrg,

I will give this a try and validate over the next few days. Thanks

0 Karma
Reply

whrg
Motivator
‎12-10-2018 01:23 AM

Instead of using a lookup table, how about using the throttle feature for alerts? You could throttle your alert based on the username.

0 Karma
Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...