Splunk Enterprise Security

list of events alerted last month

splunkcol
Contributor

With this query I can see the notable events that are currently active.

But not everyone has been alerted even if they are active.

I would like to know what the query would be to see those that the tool has alerted in the last month

 

| rest splunk_server=local count=0 /services/saved/searches |search action.notable.param.severity=* | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | table csearch_name, csearch_label, app, security_domain, description action.notable.param.severity
Labels (3)
0 Karma

splunkcol
Contributor

 

Solved

`notable`
| search NOT `suppression` 
| fields rule_name urgency
| stats count(eval(urgency="low")) as low count(eval(urgency="medium")) as medium count(eval(urgency="high")) as high count(eval(urgency="critical")) as britical by rule_name

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!