We have a lot of indicators in our Splunk Incident Review queue, and I am having a challenging time with Splunk Enterprise Security Suppression, and it's driving me nuts. It's been about a year and I cannot figure out how people efficiently suppress domains, IP's and URL's.
I can click an event, and add it to a suppression, but it appears you can have only 30 suppressions maximum, or they roll over into not being able to see your previous suppressions. Plus, each individual suppression adds an additional search, which can cause overhead so we try to add a lookup within a suppression and it does not work properly.
So then we edit the "Threat Activity Detected" correlation search with either a macro or a lookup with domains we don't want to see and it still does not seem to properly tune out indicators that constantly populate our queue.
| search `high_level_domains_tuneout` NOT [ |inputlookup IP_DomainIntelTuneOut.csv | return 999 threat_match_value ]
So what methods are you guys doing to suppress all of your different kinds of indicators? Are you using lookups or the Splunk Suppression workflow? I'm open to suggestions for better methods. I don't think it should really be this complicated. What methods are you using to do your Splunk ES Incident Review Suppression?
↧