Solved: How to exclude notable events from triggering usin...

mdicenzo · ‎08-04-2022

We have notable events for when a user is created on multiple devices. Most of them are expected for when devices are imaged.

I want to use erex to create a suppression for like accounts. They typically have the same beginning and are followed by 2 numbers. Example would ituser23, ituser24, ituser25.

I am using the search below for testing

index=notable source="Endpoint - Anomalous User Account Creation - Rule" | erex user examples="ituser23, ituser24, ituser25"

I am still getting user accounts that are unrelated such as phone or tablet.

When I look at the recommended regex it seems like it is not being granular enough.

richgalloway · ‎08-04-2022

Skip erex and go directly to the regex command. This query will filter out users with names consisting of "ituser" followed by 2 digits.

index=notable source="Endpoint - Anomalous User Account Creation - Rule" 
| regex user!="^ituser\d\d$"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-04-2022

Skip erex and go directly to the regex command. This query will filter out users with names consisting of "ituser" followed by 2 digits.

index=notable source="Endpoint - Anomalous User Account Creation - Rule" 
| regex user!="^ituser\d\d$"

---
If this reply helps you, Karma would be appreciated.

mdicenzo · ‎08-04-2022

This is eventually how I did this. Thank you for the help!

richgalloway · ‎08-04-2022

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

How to exclude notable events from triggering using erex?

search job inspector

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...