Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Removing redundant alerts with the dedup command

Alert throttling, while helpful, can create excessive notifications due to redundant risk events stacking up in the search results. In such cases, use the dedup command to make sure that each event counts only once toward the total risk score. Using the dedup command in the logic of the risk incident rule can remove duplicate alerts from the search results and display only the most recent notifications prior to calculating the final risk score.

For example, use the dedup command to filter the redundant risk notables by fields such as risk_message, risk_object, or threat_object.

| dedup risk_message risk_object threat_object

Remove redundant alerts with the dedup command

Follow these steps to use the dedup command in the risk incident rule to remove redundant alerts:

The following procedure is for illustrative purposes only. Fields and values that you use might vary.

  1. Navigate to the base search of the risk incident rule.
    BY All_Risk.risk_object,All_Risk.risk_object_type
    | 'drop_dm_object_name("All_Risk")'
  2. Use the streamstats command to retain the original score, sources, and risk messages.
    BY All_Risk.risk_object,All_Risk.risk_object_type
    | 'drop_dm_object_name("All_Risk")'
    | streamstats sum(risk_score) as original_score values(source) as sources
    values(risk_message) as risk_messages
    BY risk_object
    
  3. Use the eval command and the case function to identify the risk messages that might inflate the risk score. The following search creates a new field called adjust_score that you can use to combine the risk events (i.e. risk messages) if they match the stated criteria. If there is no match, the field adjust_score is empty.
    | eval adjust_score = case(
    source IN ("My Noisy Rule That Fires a Lot but I Still Want to Know About,
    Once", "My Other Really Useful Context Low Risk Rule"),"1",
    match(risk_message,"IDS - Rule Category 1.*|IDS - Rule Category 2.*") OR
    match(risk_message,"DLP - Rule Category 1.*|DLP - Rule Category 2.*"),"1",
    1=1,null())
    
  4. Use the coalesce function to take the new field, which just holds the value "1" if it exists. If it does not exist, use the risk message.
    | eval combine = coalesce(adjust_score,risk_message)
    
  5. Use the dedup command on the combine field to add the results from the saved fields so that the noisy alerts are counted only once.
    | dedup combine risk_score
    | streamstats sum(risk_score) as risk_score values(sources) as source
    values(risk_messages) as risk_message
    BY risk_object
    

In summary, use the following search to remove the redundant alerts:

BY All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | streamstats sum(risk_score) as original_score values(source) as sources values(risk_message) as risk_messages BY risk_object | eval adjust_score = case( source IN ("My Noisy Rule That Fires a Lot but I Still Want to Know About, Once", "My Other Really Useful Context Low Risk Rule"),"1", match(risk_message,"IDS - Rule Category 1.*|IDS - Rule Category 2.*") OR match(risk_message,"DLP - Rule Category 1.*|DLP - Rule Category 2.*"),"1", 1=1,null()) | eval combine = coalesce(adjust_score,risk_message) | dedup combine risk_score | streamstats sum(risk_score) as risk_score values(sources) as source values(risk_messages) as risk_message BY risk_object

See also

For more information on Splunk commands and functions, see the product documentation:

Comparison and Conditional functions

streamstats command

Evaluation functions

dedup command

Last modified on 11 April, 2023
Suppressing false positives using alert throttling   Adjust the risk threshold to avoid high alert volume

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters