Splunk Enterprise Security

Where can I view created notable alert suppression entries in ES?

hperez
Explorer

Hello,

 

Where can I view notable alert suppression entries in ES? I'm looking for a way to not only audit these entries but also remove them.

0 Karma

aakwah
Builder

You can delete Suppressions from "Event types" page.

starcher
Influencer

Rich gave the stock answer.

If you also want to make a search start with this.

| rest splunk_server=local servicesNS/-/-/saved/eventtypes 
| search title=notable_suppression-* disabled=0 
| rename eai:acl.app as app, title as object, search as command, updated as last_updated_readable 
| table disabled, app, object, description, last_updated_readable, command 
| eval _time=strptime(last_updated_readable,"%Y-%m-%dT%H:%M:%S%z") 
| eval isRecent=if(_time>relative_time(now(),"-1h"),true(),null()) 
| where isnotnull(isRecent)  
| rex field=command "_time\>(\=){0,1}(?P<start_time>\d+)" 
| eval start_time_readable=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%f%z") 
| rex field=command "_time\<(\=){0,1}(?P<end_time>\d+)" 
| eval end_time_readable=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%f%z") 
| eval end_time_large=if(end_time>relative_time(now(),"+90d"),true(),null()) 
| eval duration=end_time-start_time 
| `uptime2string(duration,duration_readable)` 
| append 
    [ search eventtype=suppression_audit 
    | fillnull value=unknown suppression, status, user 
    | fillnull value=modified action 
    | table _time, suppression, action, status, user 
    | eval object="notable_suppression-".suppression] 
| eventstats values(user) as user, values(action) as action, values(status) as status by object 
| where isnull(suppression) 
| fillnull value=modified action 
| fillnull value=unknown user 
| rex mode=sed field=action "s/create/created/"
| rex mode=sed field=action "s/edit/modified/"
| `get_identity4events(user)` 
| fields - command 

  

richgalloway
SplunkTrust
SplunkTrust

You can view and disable notable event suppressions at Configure->Incident Management->Notable Event Suppressions.  I'm not aware of a way to delete a suppression, but disabling them should have the same effect.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lblystone
Splunk Employee
Splunk Employee

You can delete notable event suppressions by going to Settings > eventtypes and searching for the suppression that you want to delete. Here is the link to the Splunk doc on that: https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Customizenotables

However for tracking/audit purposes, it is probably better to just disable them. 

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...