The answer from Splunk is that the notable event suppression only hides notable events from the Incident Review dashboard. SInce the alert conditions are still met it will still fire the Adaptive Response action, send email, etc. The only way to prevent the alert from firing any other action is to either build the suppression in your correlation search or change the alert trigger conditions.
... View more
I'm having this issue also. Not only with emails but adaptive response actions also. Trying to suppress a notable event from occurring but still getting a barrage of emails or incidents in a ticketing system isn't ideal. I'm going to put a support ticket in to see if they have any answers on it.
... View more
+Please e-mail brazowy at proton mail dott com from your organisation-provided e-mail account (ideally PGP/SMIME signed) with the exact subject line "Security Playbook Project Registration". This is required so association with your organisation can be confirmed but will be kept in strict confidence. Please include your github account in the e-mail so we can send you a repository invite. The github account you provide does not need to be associated in any way with your organisation.
I tried this but still haven't heard back as of yet.
... View more
Can you use timewrap to populate a single value visualization with trend indicator? For instance I want the last 7 days to populate the single value and the week before that to be fed into the trend indicator.
... View more