Splunk Enterprise Security: How to display all not...

andygerber · ‎10-10-2016

My SOC wants a page showing all recent notables, and which ones were suppressed by the current suppression rules. Obviously I can list notables with

index=notable

but how can I easily indicate the ones that actually showed up in Incident Review vs. the ones that were suppressed?

mparks11 · ‎12-15-2016

There are built in macros that can assist with what you're trying to do.

`notable` 
`suppression`

Try:

`notable` | search NOT `suppression`

And you can take it from there with however else you want to proceed. We use one like this in a bubble chart viz to track notables that aren't suppressed, and their delta over the previous day, over 30 days.

`notable` | search eventtype!=notable_suppression* | bin _time span=24h  |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count

Another option would be to use the incident_review macro:

| `incident_review`

That will only track notables that have been actioned somehow (hence tracked in the incident review KV store).

More information can be found here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA

Hope that helps!

Splunk Enterprise Security: How to display all notable events and indicate which ones were suppressed?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?