Splunk Enterprise Security

Why is notable suppression not working?

kkrises
Path Finder

Hello Splunkers,

I configured a new Notable suppression in ES for a repeated notable based on source IP. I could see the suppression entry is created under eventtypes, but the notable is still coming to Incident Review console.

I suspect issue with my Search configuration under the suppression settings.

My search config is like below :

index=network dest_port IN(389,636) src_ip=10.x.x.x 

This was to suppress notables triggering for my recent LDAP traffic search. Thank you.

Tags (1)
0 Karma
1 Solution

kkrises
Path Finder

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below : 

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@kkrises - Your search should look something like this:

`get_notable_index` dest_port IN(389,636) src_ip=10.x.x.x

(You need to run on notable index, not on network index)

Make sure your correlation search is generating dest_port and src_ip as a result.

 

I hope this helps!!!

kkrises
Path Finder

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below : 

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@kkrises - Please share your ES suppression config so we can check what's wrong.

0 Karma

kkrises
Path Finder

This is my search string for ES suppression config.

index=network dest_port IN(389,636) src_ip=10.x.x.x 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...