Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How do you stop emails from a suppressed alert in a correlation search?

theslobb
Explorer
‎10-10-2016 12:22 PM

I have a search that monitors alerts created by an IDS. I have begun going through the triggered alerts to suppress the known false positives, however, I still receive an email notification about the suppressed alert after it is triggered in the correlation search.

How do I turn off the emails for suppressed alerts?

Reply

dylan_yoder
New Member
‎11-21-2018 01:27 PM

I figured out a workaround to this. By adding the following to the end of my correlation rule it checks the suppressed eventtypes first to see if there are anything that is suppressed with matching fields. If it find anything with matching fields that hasn't expired it doesn't return any results so the emails/tickets/notable/adaptive response actions are not triggered.

| search NOT
[ | 'suppression_eventtypes '
| eval _raw = search
| extract
| search source = "insert correlation rule name here" | eval tnow = now() | where tnow > start_time AND tnow ]

suppression _eventtypes is a macro..

| rest splunk_server=local count=0 /services/saved/eventtypes
| search title=notable_suppression*
| rename title as eventtype
| rex field=eventtype "notable_suppression-(?.+)"
| rex field=search "_time>=?(?\d+)"
| rex field=search "_time<=?(?\d+)"

0 Karma
Reply

rdeloach
Explorer
‎12-01-2017 06:48 AM

The answer from Splunk is that the notable event suppression only hides notable events from the Incident Review dashboard. SInce the alert conditions are still met it will still fire the Adaptive Response action, send email, etc. The only way to prevent the alert from firing any other action is to either build the suppression in your correlation search or change the alert trigger conditions.

Reply

wilhelmF
Path Finder
‎12-03-2017 10:57 PM

It would be good if splunk could provide a template how to dynamically at supressions when supressed in the inident review.

0 Karma
Reply

wilhelmF
Path Finder
‎11-30-2017 07:01 AM

@rdeloach Did you get an answer from Splunk?

Reply

dacosta
Explorer
‎11-20-2017 07:23 AM

TheSlobb, did you ever get an answer on this? Im getting emails on a suppressed alert as well.

thanks,

Dan

0 Karma
Reply

wilhelmF
Path Finder
‎11-20-2017 11:07 PM

No I still don't have suitable workaround.

0 Karma
Reply

rdeloach
Explorer
‎11-21-2017 06:22 AM

I'm having this issue also. Not only with emails but adaptive response actions also. Trying to suppress a notable event from occurring but still getting a barrage of emails or incidents in a ticketing system isn't ideal. I'm going to put a support ticket in to see if they have any answers on it.

0 Karma
Reply

dylan_yoder
New Member
‎11-21-2018 07:08 AM

I figured out a workaround to this. By adding the following to the end of my correlation rule it checks the suppressed eventtypes first to see if there are anything that is suppressed with matching fields. If it find anything with matching fields that hasn't expired it doesn't return any results so the emails/tickets/notable/adaptive response actions are not triggered.

| search NOT
[ | suppression_eventtypes
| eval _raw = search
| extract
| search source = ""
| eval tnow = now()
| where tnow > start_time AND tnow
| table ]

0 Karma
Reply

dylan_yoder
New Member
‎11-21-2018 07:12 AM

suppression _eventtypes is a macro..

| rest splunk_server=local count=0 /services/saved/eventtypes
| search title=notable_suppression*
| rename title as eventtype
| rex field=eventtype "notable_suppression-(?.+)"
| rex field=search "_time>=?(?\d+)"
| rex field=search "_time<=?(?\d+)"

0 Karma
Reply

wilhelmF
Path Finder
‎10-05-2017 11:22 PM

Meanwhile I created an additional correlation search which sends a mail. It's not optimal but it works.

| inputlookup es_notable_events 
 | search urgency=high OR urgency=critical
 | eval last5min=now()-310
 | where _time >= last5min
0 Karma
Reply

theslobb
Explorer
‎10-30-2017 05:56 AM

This is clever, and I really wish I could use this as an alternative. However, the information in the notable events logs are not enough to give context to the users who receive the alerts most times.

0 Karma
Reply

phillip_rice
Explorer
‎10-05-2017 07:22 AM

Was this ever resolved?

Thanks

0 Karma
Reply

theslobb
Explorer
‎10-05-2017 09:17 AM

I never got a resolution for this one.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...