Splunk Enterprise Security

Why is notable suppression not working?

kkrises
Path Finder

Hello Splunkers,

I configured a new Notable suppression in ES for a repeated notable based on source IP. I could see the suppression entry is created under eventtypes, but the notable is still coming to Incident Review console.

I suspect issue with my Search configuration under the suppression settings.

My search config is like below :

index=network dest_port IN(389,636) src_ip=10.x.x.x 

This was to suppress notables triggering for my recent LDAP traffic search. Thank you.

Tags (1)
0 Karma
1 Solution

kkrises
Path Finder

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below : 

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@kkrises - Your search should look something like this:

`get_notable_index` dest_port IN(389,636) src_ip=10.x.x.x

(You need to run on notable index, not on network index)

Make sure your correlation search is generating dest_port and src_ip as a result.

 

I hope this helps!!!

kkrises
Path Finder

@VatsalJagani - Thanks for the help. Querying the index notable worked in this case and have to adjust the fields as below : 

index=notable src_ip="10.x.x.x" search_name="ESCU - Detect Outbound LDAP Traffic - Rule". This worked and notables are not coming in now.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@kkrises - Please share your ES suppression config so we can check what's wrong.

0 Karma

kkrises
Path Finder

This is my search string for ES suppression config.

index=network dest_port IN(389,636) src_ip=10.x.x.x 

0 Karma
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...