Splunk Enterprise Security

Is there an easy way to close out 150K+ incident events?

jcoquico
Engager

We have recently installed ES for Splunk and have over 150K+ incidents that I want to close that were opened prior to tuning the correlation searches. Does any one know of an 'easy' way to do this besides editing them through the Incident Review page?

1 Solution

LukeMurphey
Champion

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

  1. Open the ES Configuation page and open "Notable Event Suppressions"
  2. Click "new" to make a new one
  3. Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
  4. By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

  • index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
  • _time >= 0: this defines start of the time range that the suppression applies to
  • _time < 1359784000: this defines end of the time range that the suppression applies to

View solution in original post

LukeMurphey
Champion

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

  1. Open the ES Configuation page and open "Notable Event Suppressions"
  2. Click "new" to make a new one
  3. Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
  4. By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

  • index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
  • _time >= 0: this defines start of the time range that the suppression applies to
  • _time < 1359784000: this defines end of the time range that the suppression applies to
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...