topic Re: Splunk query for use case onboarded in Splunk Enterprise Security

Splunk query for use case onboarded

Sankar — Fri, 24 Jan 2025 12:57:29 GMT

we have 100+ use cases onboarded into splunk ES. also we are receiving the alerts few of them but i want to know exact count how many use cases onboarded into the splunk in that how many triggered the alerts?

much appreciated any one guide.

Re: Splunk query for use case onboarded

gcusello — Fri, 24 Jan 2025 13:45:58 GMT

Hi @Sankar,

Correlation Searches, in ES, write triggered alerts in the notable index.

You can see in this index and create a statistic for search_name:

index=notable | stats count BY search_name

Ciao.

Giuseppe

Re: Splunk query for use case onboarded

Sankar — Fri, 24 Jan 2025 15:07:10 GMT

Thanks @gcusello

its working.

i want to filter each alert, based on Urgency like (High, Medium, Low, informational)

I tried below query but its not working.

| fields Title Urgency | table Title Urgency

Re: Splunk query for use case onboarded

gcusello — Fri, 24 Jan 2025 15:03:59 GMT

Hi @Sankar ,

do you want to dispay urgency of each search or to filter results by urgency?

in the first case:

index=notable | stats values(urgency) As urgency count BY search_name

in the second case (to have only notable with urgency=high):

index=notable urgency=high | stats count BY search_name

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Splunk query for use case onboarded

Sankar — Fri, 24 Jan 2025 16:31:24 GMT

Hi @gcusello

First case query its working. but urgency field i don't see any severity.
all alerts urgency field is empty only. but in the rule we set under Adaptive response actions--> notable -->severity value. (Ex High, Medium, Low, informational)

we have 40+ indexes so i want to each alert for Search Name, Index, Urgency, count.

hope you can able to share right info.

Re: Splunk query for use case onboarded

gcusello — Fri, 24 Jan 2025 16:51:11 GMT

Hi @Sankar ,

Urgency depends on Priority (from the Correlation Search) and priority (from the Asset/Identity).

Didi you defined Priority in Asset and Identity Management?

Ciao.

Giuseppe

Re: Splunk query for use case onboarded

Sankar — Fri, 24 Jan 2025 17:58:51 GMT

Hi @gcusello I understand your points. As a Splunk SME i have created the rules and urgency values has been set in correlation search.

but do we really need Asset/Identity management?
Ass/IM taking care by different teams.

I have enabled use cases & its triggered alerts also, only thing is we are unable to see Urgency Field values. what is the best practice to view urgency filed?

Thank you so much for responding my queries.

Re: Splunk query for use case onboarded

gcusello — Sat, 25 Jan 2025 15:01:53 GMT

Hi @Sankar ,

if you haven't Asset and Identity management you cannot define Priority but only urgency: use it in your reports.

Ciao.

Giuseppe

Re: Splunk query for use case onboarded

Sankar — Tue, 28 Jan 2025 09:50:37 GMT

Hi @gcusello

do we have any reference guide from splunk? or servicenow?

Re: Splunk query for use case onboarded

gcusello — Tue, 28 Jan 2025 10:37:17 GMT

Hi @Sankar ,

only training on ES:

you must define a search to extract assets and identities from AD logs or from Servicenow.

these items must be formatted (field names) using the names that you can find in assets and identities management in ES.

When you created this search, you can schedule it adding the information about priority (e.g. Domain Controllers have a critical Priority, pcs of CEO and managers have a critical priority, if you are an eCommerce company, payment services are critical and so on based on your Business Impact Analysis.

Ciao.

Giuseppe