I currently have alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for x amount of time.
For example an alert for John Smith logging from Australia. Once I validate that this in fact John Smith, I want to write this entry to a lookup table and suppress any future alerts from him for lets a say 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.
index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
I have tried both suggestions at this time. Rewrote the alert and kept the original username field as is. However, all alerts are being suppressed as opposed to repeat user logins. Thinking the lookup table might be the more viable option here,
I see you are renaming the field "username" to "User ID" in your search above.
So you should enter "User ID" in the field "Supress results containing field value".
(However, I'm not sure if spaces are accepted or if you have to use double quotes.)