Splunk Enterprise Security

Splunk Rules: How to suppress threat activity alert into one

Path Finder

Hello Dears,

We usually see the threat correlation alert suppressed basis on the filed specified as per snap attached. It does work when there is any suspicious IP address reported, but not for URLs, say if the domain is registered as blacklisted and if the traffic hitting to that domain having different URLs, it triggered all those alerts.

How can we suppress these into one, if the domain is the same? Added additional field (threat_collection_key) to suppress URLs but seems not working here. Is there any workaround?

alt text

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!