Currently, I'm trying to leverage a lookup table to accomplish the following:
I currently have an alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for an X amount of time. I have tried using the throttling feature, however it is suppressing ALL alerts for the specified time.
For example, an alert for John Smith logging from Australia. Once I validate that this is, in fact, John Smith, I want to write this entry to a lookup table. The next time the search is run, it should lookup the username fields in my lookup table and suppress any future alerts from him, for lets, 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.
index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
Hi, you can use below query to get a list of the users who are outside of the country which does not contain throttled user.
*index="authenticatior" action=success
| search "location.country"!="" AND "location.country"!="US"
| table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
| lookup mylookup.csv
| where isnull(last_date)
| fields - last_date
| eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last *
And use below query to add a user in the lookup.
| inputlookup mylookup.csv
| append
[| makeresults 1
| eval username="Name of User",numberofdays=numberofdays , last_date=_time+86400*(numberofdays)
| fields user,last_date]
| outputlookup mylookup.csv
You have to schedule below query to remove throttled user from lookup when the time will expire so that schedule below query which runs at 12:00 AM(for example) every day.
| inputlookup mylookup.csv
| where last_date > _time
| outputlookup mylookup.csv
Converted from an answer into a question.