Creating lookups to reduce noisy alert volume
Create lookups using the Splunk App for Lookup File Editing and use the lookups in searches and dashboards to reduce noisy alert volume. Lookups help to add context and track changes during an investigation, manage asset and identity correlation with events, match threat indicators with events, and enrich dashboards and panels with information.
You can separate the fields that indicate regular business traffic instead of risk using lookups.
For example, in the following search the NOT statement excludes the data model prefix Web. from the search results using the RR_Proxy_Allowlist.csv lookup:
index=proxy http_method="POST"
NOT [| inputlookup RR_Proxy_Allowlist.csv
| fields Web.src Web.dest
| rename Web.* AS *]
You could also do this with a datamodel:
| tstats summariesonly=t values(Web.dest) as dest
FROM datamodel Web.Web
WHERE Web.http_method="POST"
NOT [| inputlookup RR_Proxy_Allowlist.csv
| fields Web.src Web.dest]
BY _time,Web.src
See also
For more information on lookups and dashboards, see the product documentation:
Create and manage lookups in Splunk Enterprise Security
Create and manage search-driven lookups in Splunk Enterprise Security
| Creating allow lists to reduce noisy alert volume | Build custom dashboards to analyze risk |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Download manual
Feedback submitted, thanks!