Splunk Enterprise Security

Throttling of ES Notable If A Notable Already Exists

Explorer

Hi All,

Can anyone suggest if we can throttle a correlation search if a notable is already in open state for same grouping values? 

Eg: I have a notable that triggers if someone accesses GoogleAPI Storage site, I do not want it to trigger if I have a notable triggered from a same IP until the first notable is resolved. 

Else, wouldn't it be good thing to have instead of having multiple notables triggered for the similar occurrences until the root cause of the issue/threat is resolved? 

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This is an interesting use case, and it's going into mad science territory, so hang on,

The way I envision making this work is two parts:

One, edit your correlation search to also search | inputlookup incident_review_lookup, then narrow it down to see if the specific details you want to search off are already in there.  If it is, and isn't yet closed, then set var_underreview = 1.

Two, add a "is var_underreview > 0" to see if it is a finding. That way, only items that aren't under review will trigger notables, and ergo, only those will fire.  

If you need to, you could separate the creating of notables from the firing of alerts, but that would duplicate effort.

-- Michael S

View solution in original post

SplunkTrust
SplunkTrust

This is an interesting use case, and it's going into mad science territory, so hang on,

The way I envision making this work is two parts:

One, edit your correlation search to also search | inputlookup incident_review_lookup, then narrow it down to see if the specific details you want to search off are already in there.  If it is, and isn't yet closed, then set var_underreview = 1.

Two, add a "is var_underreview > 0" to see if it is a finding. That way, only items that aren't under review will trigger notables, and ergo, only those will fire.  

If you need to, you could separate the creating of notables from the firing of alerts, but that would duplicate effort.

-- Michael S

View solution in original post