Splunk Enterprise Security

Splunk Enterprise Security: How to display all notable events and indicate which ones were suppressed?

Path Finder

My SOC wants a page showing all recent notables, and which ones were suppressed by the current suppression rules. Obviously I can list notables with

index=notable

but how can I easily indicate the ones that actually showed up in Incident Review vs. the ones that were suppressed?

0 Karma

Path Finder

There are built in macros that can assist with what you're trying to do.

`notable` 
`suppression`

Try:

`notable` | search NOT `suppression`

And you can take it from there with however else you want to proceed. We use one like this in a bubble chart viz to track notables that aren't suppressed, and their delta over the previous day, over 30 days.

`notable` | search eventtype!=notable_suppression* | bin _time span=24h  |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count

Another option would be to use the incident_review macro:

| `incident_review`

That will only track notables that have been actioned somehow (hence tracked in the incident review KV store).

More information can be found here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

Hope that helps!

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!