Splunk Enterprise Security

Why is notable suppression not working?

kkrises
Path Finder

Hello Splunkers,

I configured a new Notable suppression in ES for a repeated notable based on source IP. I could see the suppression entry is created under eventtypes, but the notable is still coming to Incident Review console.

I suspect issue with my Search configuration under the suppression settings.

My search config is like below :

index=network dest_port IN(389,636) src_ip=10.x.x.x 

This was to suppress notables triggering for my recent LDAP traffic search. Thank you.

Tags (1)
0 Karma
1 Solution

kkrises
Path Finder

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below : 

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@kkrises - Your search should look something like this:

`get_notable_index` dest_port IN(389,636) src_ip=10.x.x.x

(You need to run on notable index, not on network index)

Make sure your correlation search is generating dest_port and src_ip as a result.

 

I hope this helps!!!

kkrises
Path Finder

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below : 

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@kkrises - Please share your ES suppression config so we can check what's wrong.

0 Karma

kkrises
Path Finder

This is my search string for ES suppression config.

index=network dest_port IN(389,636) src_ip=10.x.x.x 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...