Currently, I'm trying to leverage a lookup table to accomplish the following:
I currently have an alerting setup for authentications that occur from outside of the country. However, I would like to suppress alerting for specific users for an X amount of time. I have tried using the throttling feature, however it is suppressing ALL alerts for the specified time.
For example, an alert for John Smith logging from Australia. Once I validate that this is, in fact, John Smith, I want to write this entry to a lookup table. The next time the search is run, it should lookup the username fields in my lookup table and suppress any future alerts from him, for lets, 1 week to avoid alarm fatigue. Below is what I have so far. Not sure where to go from here or if i'm even headed the right direction with this.
index="authenticatior" action=success | search "location.country"!="" AND "location.country"!="US" | table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
|eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last
| inputlookup append=t mylookup.csv
| outputlookup mylookup.csv
... View more