My SOC wants a page showing all recent notables, and which ones were suppressed by the current suppression rules. Obviously I can list notables with
index=notable
but how can I easily indicate the ones that actually showed up in Incident Review vs. the ones that were suppressed?
There are built in macros that can assist with what you're trying to do.
`notable`
`suppression`
Try:
`notable` | search NOT `suppression`
And you can take it from there with however else you want to proceed. We use one like this in a bubble chart viz to track notables that aren't suppressed, and their delta over the previous day, over 30 days.
`notable` | search eventtype!=notable_suppression* | bin _time span=24h |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count
Another option would be to use the incident_review
macro:
| `incident_review`
That will only track notables that have been actioned somehow (hence tracked in the incident review KV store).
More information can be found here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA
Hope that helps!