topic Re: How does Splunk define and assign urgency in Splunk Enterprise Security? in Splunk Enterprise Security

How does Splunk define and assign urgency in Splunk Enterprise Security?

bettymh — Sun, 11 Dec 2016 13:09:29 GMT

Hello everyone

I'm using Splunk Enterprise Security, and at the first sight, I saw urgency which includes: "critical, high, medium, law, info"

How are these actions divided to these groups? Is there any code behind it as the code in investigations which we could change them manually?

Re: How does Splunk define and assign urgency in Splunk Enterprise Security?

koshyk — Sun, 11 Dec 2016 15:55:31 GMT

hi,
Urgency is a combination of
1. Priority of the Device when you build your assets (You can fetch from external sources (eg cmdb) or assign manually. Doc link)
2. Severity of the use-case ( You define them when you write the use case/co-relation search)
Matrix attached below. Further details of how it can be done etc is show here

Re: How does Splunk define and assign urgency in Splunk Enterprise Security?

rpille_splunk — Sun, 11 Dec 2016 16:57:04 GMT

Documentation of the above can be found here: http://docs.splunk.com/Documentation/ES/4.5.1/User/NotableEvents#How_urgency_is_assigned_to_notable_events

Re: How does Splunk define and assign urgency in Splunk Enterprise Security?

bettymh — Mon, 12 Dec 2016 06:24:37 GMT

Thank you a lot koshyk (@koshyk)

but...
to clear my meaning, my exact question is how it can understand these priority and severity?

for example there is a medium risk attack, and splunk understand it as a medium...right? how they do it exactly?
or maybe it is critical but they said high, we can change them manually! so there must be something, or some code behind it! to define them as a priority and severity!

Re: How does Splunk define and assign urgency in Splunk Enterprise Security?

rxie_splunk — Mon, 12 Dec 2016 18:57:52 GMT

Will the search command help you?

From Incident Review dashboard, click Job -> Inspect Job on the timeline chart
A new window opens. Click search.log link at the top
Text search for 'SearchParser - AFTER EXPANDING MACROS' and you will see the SPL search command there.
Copy the command and run it in the Search and you will see how these data computed

Re: How does Splunk define and assign urgency in Splunk Enterprise Security?

AnthonyTibaldi — Mon, 12 Dec 2016 19:19:30 GMT

You wrote

"but...
to clear my meaning, my exact question is how it can understand these priority and severity?

Splunk assigns ugency by mapping the assigned severity to the assigned priority of the asset for the various correlation searches.

It is important to check the chart given in the answer above by koshyk . I found most of our assets were classified as unknown therefore lowering the urgency of the alert.

What we did to fix this situation was to change the columns so that ugency matched the assigned severity. This may not have been the best solution but it solved our issue. We were then easily able to map the urgency on the incident review dashboard to the expected severity in the correlation search as it no longer considered the asset in making the determination.

Hope this helps.

Re: How does Splunk define and assign urgency in Splunk Enterprise Security?

koshyk — Mon, 12 Dec 2016 20:46:21 GMT

hi, I've added bit more description to my answer on how to assign them. If you think it is ok, please mark it as answer. cheers