Solved: Why is notable suppression not working?

kkrises · ‎06-28-2022

Hello Splunkers,

I configured a new Notable suppression in ES for a repeated notable based on source IP. I could see the suppression entry is created under eventtypes, but the notable is still coming to Incident Review console.

I suspect issue with my Search configuration under the suppression settings.

My search config is like below :

index=network dest_port IN(389,636) src_ip=10.x.x.x

This was to suppress notables triggering for my recent LDAP traffic search. Thank you.

kkrises · ‎07-01-2022

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below :

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

View solution in original post

VatsalJagani · ‎06-30-2022

@kkrises - Your search should look something like this:

`get_notable_index` dest_port IN(389,636) src_ip=10.x.x.x

(You need to run on notable index, not on network index)

Make sure your correlation search is generating dest_port and src_ip as a result.

I hope this helps!!!

kkrises · ‎07-01-2022

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below :

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

VatsalJagani · ‎06-28-2022

@kkrises - Please share your ES suppression config so we can check what's wrong.

kkrises · ‎06-29-2022

This is my search string for ES suppression config.

index=network dest_port IN(389,636) src_ip=10.x.x.x

Why is notable suppression not working?

incident review

notable event

using Enterprise Security

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk