topic Re: how to check severity of notable event in Splunk Enterprise Security

how to check severity of notable event

snigdhasaxena — Mon, 17 Sep 2018 08:27:02 GMT

I want to check the severity of notable events so that I can hardcode the value of urgency without using lookups.
Is there a way to check urgency of notable events ?

Re: how to check severity of notable event

harsmarvania57 — Mon, 17 Sep 2018 12:15:57 GMT

Hi @snigdhasaxena,

Please refer this document http://docs.splunk.com/Documentation/ES/5.1.0/User/Howurgencyisassigned, you will get answer.

Re: how to check severity of notable event

snigdhasaxena — Mon, 17 Sep 2018 13:01:18 GMT

Hi,

Thanks for responding but I want to see severity tagged to each notable event and not how it is assigned.
Do we have any field which corresponds to severity values.

Re: how to check severity of notable event

sheamus69 — Tue, 29 Sep 2020 21:19:19 GMT

If left to Splunk defaults, the severities should be calculated based on the severity assigned to the notable event, cross referenced with the priorities of affected assets and users.

However, you can manually set a severity value by using a field called "severity", which Splunk will use as the severity value. This can be useful for when you want to dynamically change the severity based on other factors, such as a CVE score on an IDS detection.

e.g.

...|eval severity=case(cvs_score>9, "critical", cvs_score>7, "high", cvs_score>4, "medium", cvs_score>0, "low", 1==1, "unknown")

It is also worth noting that some IDS/IPS/AV systems use a severity field by default which overrides the ES calculated severity. Where this is not desired, it is worth renaming the field in the logs to something like:

...|rename severity as orig_severity

Re: how to check severity of notable event

harsmarvania57 — Mon, 17 Sep 2018 14:49:50 GMT

Ok, if I am understanding your requirement correctly you would like to know severity of all notable events and not urgency. In this case while looking at ES structure when you create Correlation Search and add Adaptive Response as Notable, at that time you need select the severity and that severity will be assigned to all notable events generated by that Correlation search.

When correlation search runs and if any events found and if you have selected Adaptive response as notable then all those output events of correlation search goes to notable index and if you would like to know the severity of those notable events in that case you can run below query.

index=notable | lookup correlationsearches_lookup _key AS search_name OUTPUTNEW severity