Splunk Enterprise Security

Splunk Rules: How to suppress threat activity alert into one

pavanbmishra
Path Finder

Hello Dears,

We usually see the threat correlation alert suppressed basis on the filed specified as per snap attached. It does work when there is any suspicious IP address reported, but not for URLs, say if the domain is registered as blacklisted and if the traffic hitting to that domain having different URLs, it triggered all those alerts.

How can we suppress these into one, if the domain is the same? Added additional field (threat_collection_key) to suppress URLs but seems not working here. Is there any workaround?

alt text

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...