- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Splunk Enterprise Security: How do you stop em...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: How do you stop emails from a suppressed alert in a correlation search?
I have a search that monitors alerts created by an IDS. I have begun going through the triggered alerts to suppress the known false positives, however, I still receive an email notification about the suppressed alert after it is triggered in the correlation search.
How do I turn off the emails for suppressed alerts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out a workaround to this. By adding the following to the end of my correlation rule it checks the suppressed eventtypes first to see if there are anything that is suppressed with matching fields. If it find anything with matching fields that hasn't expired it doesn't return any results so the emails/tickets/notable/adaptive response actions are not triggered.
| search NOT
[ | 'suppression_eventtypes '
| eval _raw = search
| extract
| search source = "insert correlation rule name here" | eval tnow = now() | where tnow > start_time AND tnow ]
suppression _eventtypes is a macro..
| rest splunk_server=local count=0 /services/saved/eventtypes
| search title=notable_suppression*
| rename title as eventtype
| rex field=eventtype "notable_suppression-(?.+)"
| rex field=search "_time>=?(?\d+)"
| rex field=search "_time<=?(?\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer from Splunk is that the notable event suppression only hides notable events from the Incident Review dashboard. SInce the alert conditions are still met it will still fire the Adaptive Response action, send email, etc. The only way to prevent the alert from firing any other action is to either build the suppression in your correlation search or change the alert trigger conditions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be good if splunk could provide a template how to dynamically at supressions when supressed in the inident review.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@rdeloach Did you get an answer from Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TheSlobb, did you ever get an answer on this? Im getting emails on a suppressed alert as well.
thanks,
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I still don't have suitable workaround.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having this issue also. Not only with emails but adaptive response actions also. Trying to suppress a notable event from occurring but still getting a barrage of emails or incidents in a ticketing system isn't ideal. I'm going to put a support ticket in to see if they have any answers on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out a workaround to this. By adding the following to the end of my correlation rule it checks the suppressed eventtypes first to see if there are anything that is suppressed with matching fields. If it find anything with matching fields that hasn't expired it doesn't return any results so the emails/tickets/notable/adaptive response actions are not triggered.
| search NOT
[ | suppression_eventtypes
| eval _raw = search
| extract
| search source = "
| eval tnow = now()
| where tnow > start_time AND tnow
| table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
suppression _eventtypes is a macro..
| rest splunk_server=local count=0 /services/saved/eventtypes
| search title=notable_suppression*
| rename title as eventtype
| rex field=eventtype "notable_suppression-(?.+)"
| rex field=search "_time>=?(?\d+)"
| rex field=search "_time<=?(?\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Meanwhile I created an additional correlation search which sends a mail. It's not optimal but it works.
| inputlookup es_notable_events
| search urgency=high OR urgency=critical
| eval last5min=now()-310
| where _time >= last5min
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is clever, and I really wish I could use this as an alternative. However, the information in the notable events logs are not enough to give context to the users who receive the alerts most times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was this ever resolved?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never got a resolution for this one.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
