topic How to set Urgency in a correlation search based on failure count? in Splunk Enterprise Security

How to set Urgency in a correlation search based on failure count?

stefan1988 — Wed, 28 Dec 2016 09:57:10 GMT

The urgency in a correlation search is calculated by the corr. search severity + the asset/identity priority.

Is it possible to calculate the urgency based on the count of failures?

I'm Using Enterprise Security 4.5.1 and I saw you can set Risk Modifiers under "Add New Response Action", but I couldn't find any option to set the urgency based on a field value (i.e. a count of failures).

Many thanks.

Kind regards,
Stefan

Re: How to set Urgency in a correlation search based on failure count?

smoir_splunk — Wed, 04 Jan 2017 01:07:09 GMT

You'd want to change the severity of the correlation search according to the number of failures.

For example, you could append something like this to the end of the correlation search

 | eval severity=case(failure>100,"critical",failure>50,"high",...

Then the urgency calculations will take that severity into account, and be adjusted accordingly.