topic Re: Search for Alert Monitoring. in Splunk Enterprise Security

Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 07:24:22 GMT

hello,

Could anyone assist me in creating a correlation search to detect triggered alerts across all searches. This will enable us to monitor counts and automatically notify us if any situation escalates beyond control.

Thanks

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 07:42:05 GMT

If you want the list of triggered alerts please try this:

if instead tu want the list of alerts in your environment, you could use:

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 08:58:55 GMT

@gcusello ,

How we can set the threshold for the second search like if any of the CS alerts more than 10 times it should trigger a notables !

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 09:04:25 GMT

Hi @AL3Z ,

the second search only lists the alerts not the triggered ones.

If you want the triggered alerts you have to use the first.

If you want to use a threshold, please try this:

If you're using Enterprise Security, you don't need to use a Correlation Search like this, but you could use the Risk Score for assets and identities, but it's too long to describe.

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 09:11:07 GMT

Can we use this CS in ES ?
Could you pls guide me how we could use the Risk Score for assets and identities?

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 09:18:49 GMT

Hi @AL3Z,

yes you can use it in cs, but you can also use Notables.

Anyway, as action when an alert is triggered, you can define a Risk Score to assign to an asset or to an identity instead to trigger an alert.

Then you can define a threshold for the risk score, so, you'll have a Notable when the risk score, for an asset or an identity exceeds the threshold.

See in the Actions from a Correlation Search the Risk Score and make some try, I cannot guide you more.

For more infos see at https://docs.splunk.com/Documentation/ES/7.2.0/RBA/Analyzerisk

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 09:54:02 GMT

@gcusello ,

Why we are not seeing the alerts for the disabled CS using the above search ?

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 09:52:14 GMT

Hi @AL3Z ,

No, you have only to define the asset (or the identity) in the correlation search.

In other words, in the results of your CS you must have an asset (or the identity) and define this field for the risk score.

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 10:04:50 GMT

Hi @AL3Z ,

the above search lists the triggered alerts, if an alert is disablen is also never triggered|

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 13:40:21 GMT

@gcusello ,

Why the triggered alerts from the search are not matching with the incident review alerts why so ?

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 14:01:41 GMT

Hi @AL3Z,

they match with the correlation searches, but thei contain also other alerts outside ES and anyway don't matcj with disabled CS.

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 14:09:02 GMT

@gcusello

I had chosen to specify only ES and I haven't consider the disabled CS but still, not all the alerts are showing up.

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 14:50:25 GMT

Hi @AL3Z,

I don't know: the above search lists all the triggered alerts.

Otherwise you could run a search on the notable index and have the count for the triggered searches:

index=notable | stats count BY search_name | where count>10

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 15:08:21 GMT

Hi @gcusello ,

Can we use it as a CS to trigger an alert when it exceeds the alert threshold ?

Re: Search for Alert Monitoring.

gcusello — Thu, 14 Dec 2023 15:51:41 GMT

Hi @AL3Z,

if you don't use the original CS, you don't have the notables for searching.

For this reason I hinted to use the risk score instead the notable as action.

You need someone that really knows ES to guide you or a training on ES using or administering.

Ciao.

Giuseppe

Re: Search for Alert Monitoring.

AL3Z — Thu, 14 Dec 2023 16:46:01 GMT

@gcusello

I didn't get what is original CS mean is that with index notable or previous search ?
can you pls guide me or share me link to get master in ES!