topic Re: Splunk Enterprise Security passing fields in notable settings in Getting Data In

Splunk Enterprise Security passing fields in notable settings

splunky_diamond — Mon, 20 May 2024 05:28:50 GMT

Hello Splunkers!

I have built my own correlation search:

From which I am generating a notable. In that notable I want to pass some fields using the $

I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason:

Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue.

Thanks for taking your time reading and replying to my post ❤️

Re: Splunk Enterprise Security passing fields in notable settings

gcusello — Mon, 20 May 2024 06:14:40 GMT

Hi @splunky_diamond ,

I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review.
The example you gave is of the first type, but, if I correctly understand, you want to display other fields in the Notable information.
to do this you must add these fields to the Correlation Search results (e.g. as values in the stats command), so that they are written in the Notable event and then, go to [Configure > Incident Review>Incident Settings] and add these fields to those displayed (if they were not already present).

Ciao.

Giuseppe

Re: Splunk Enterprise Security passing fields in notable settings

splunky_diamond — Mon, 20 May 2024 09:20:25 GMT

@gcusello , I tried your suggestion, it worked for the "fudo_session" field, thank you!

However, I tried the same on "dvc" field and it does not work for some reason...

I tried extracting new field called "node_address" and added it to my search in the following way:

index=fudo_index completed_action="deleted session."
| stats values("node_address") as address values("user") as user values("fudo_session") as session values("completed_action") as "completed action" count("completed_action") as counter
| where 'counter'>0

And in the title of the notable I have the following:

Deleted recorded session $session$ detected on $address$

Also I added both fields in the incident review settings as you said.

Here is the result:

The value that should appear instead of "$address$" is the IPv4 address. When I was extracting the field node_address, I did it in the enterprise security app in the search. For the permissions I made it global with everyone being able to read and only admin with write permissions (just like fudo_session field).

If both of them are completely identical, why isn't this field getting evaluated like fudo_session? Could you please help with troubleshooting this?

Re: Splunk Enterprise Security passing fields in notable settings

gcusello — Mon, 20 May 2024 09:41:08 GMT

Hi @splunky_diamond,

probably this isn't the issue, but why do you use quotes?

index=fudo_index completed_action="deleted session." | stats values(node_address) AS address values(user) AS user values(fudo_session) AS session values(completed_action) AS "completed action" count(completed_action) AS counter | where counter>0

quots are mandatory when you have spaces or special chars in the field names.

Then, why don't you use an aggregation key (the BY clause)?

I'd try with something like this:

index=fudo_index completed_action="deleted session." | stats values(user) AS user values(fudo_session) AS session values(completed_action) AS "completed action" count(completed_action) AS counter BY node_address | where counter>0 | rename node_address AS address

Ciao.

Giuseppe

Re: Splunk Enterprise Security passing fields in notable settings

splunky_diamond — Mon, 20 May 2024 10:04:10 GMT

@gcusello , I used quotes when I was trying different cases, with hope that maybe adding them might somehow solve my problem, haha!

Anyways, I tried the last search that you provided :

Unfortunately, it didn't help the situation. the $address$ is still not resolved. By the way, it does not matter whether I try with this new field that I extracted, or if I try with the $dest$ or $dvc$ that were parsed in my logs from the beginning, for some reason neither of them resolve in the notable title 😞

Do you have any other ideas what I can check in order to solve my issue?

Cheers,
splunky_diamond

Re: Splunk Enterprise Security passing fields in notable settings

gcusello — Mon, 20 May 2024 10:37:14 GMT

Hi @splunky_diamond,

dest and dvc aren't in the Correlation Search, so it's correct.

Instead, address, shouldbe displayed.

Ciao.

Giuseppe

Re: Splunk Enterprise Security passing fields in notable settings

splunky_diamond — Tue, 21 May 2024 06:42:45 GMT

Hello @gcusello
Update: it actually did work! I just got new notable generated and the field value passed successfully!
Thank you very much!

Re: Splunk Enterprise Security passing fields in notable settings

gcusello — Tue, 21 May 2024 06:49:26 GMT

Hi @splunky_diamond ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉