topic Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review in Dashboards & Visualizations

Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

ravida — Mon, 20 May 2024 19:07:55 GMT

Hi folks,

This has been bugging me for a while. When I click on a custom-made correlation search in the Security Posture's Top Notable Events dashboard pane, it doesn't filter for that rule name in the incident review, it just shows all of them. Where do I configure it to drill down properly?

Thanks!

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Tue, 21 May 2024 05:50:44 GMT

Hi @ravida ,

when you created the Correlation Search, did you associate the "Add Notable" Adaptive Response Action?

Then, when you configure the Add Notable Adaptive Response Action, did you created the Drilldown Search?

Ciao.

Giuseppe

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

ravida — Wed, 22 May 2024 20:24:21 GMT

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

ravida — Thu, 23 May 2024 13:44:27 GMT

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Thu, 23 May 2024 14:50:57 GMT

Hi @ravida,

I never experienced this behavior and I'm using many custom Correlation Searches,

Is this issue present for all the CS or only for that?

Ciao.

Giuseppe

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

ravida — Thu, 23 May 2024 16:53:48 GMT

It happens for all of them.

The strange part is, when i first click, you can see the notable name in the URL after "/incident_review?form.rule_name=(rule name)" followed by earliest/latest timestamos

but after a moment it disappears and is replaced with a new URL which only has the earliest/latest values

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Fri, 24 May 2024 05:48:04 GMT

Hi @ravida ,

as I said, I never experienced this behavior and I'm using many custom Correlation Searches,

Open a case to Splunk Support.

Ciao.

Giuseppe

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

Mark_Heimer — Sun, 08 Sep 2024 15:09:23 GMT

Hi there,

the same story is true for me. Actually after updating ESCU to 4330.
Not only for custom correlation search rules but for cloned rules.
before that everything was ok!
when u clone a built-in rule e.g "Excessive Failed Logins" to something like "Excessive Failed Logins- Custom", in Security Posture's Top Notable Events dashboard pane it appears like "Access - Excessive Failed Logins- Custom - Rule" and when u click on it to open in incident review, it doesn't filter out this as selected source but all incidents are listed as if no filter is selected.

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Mon, 09 Sep 2024 06:10:12 GMT

Hi @Mark_Heimer ,

did you modified only the Correlation Search name or also the Notable name?

in the Incident Review name you see the Notable name not the Correlations Search name.

In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation.

Ciao.

Giuseppe

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

Mark_Heimer — Tue, 10 Sep 2024 08:08:27 GMT

Hi dear Giuseppe,

thanks for fast reply.

here is what i did.

I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-down list. then from "Actions" on the top right corner i hit "Clone".

in the new window there are "New Search Label" which i add "- custom" to the end of it. then i select the App and put it on "SA-AccessProtection".

next in "Edit Correlation Search " i will make any change to the "Search" and click save. Done!

this is all i do.

The point is even if i enable both of them, the two will appear in the "Top Notable Events" pane and both are working simultaneously. clicking on the original rule redirects u to the "Incident Review" page with the correct rule selected as source. but when clicking on the cloned or newly created rule you'll be redirected to the "Incident Review" page with all incidents listed and source field has no selected value.

the strange part is that rules that i had created or cloned in the past (about ) are working fine.

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Tue, 10 Sep 2024 09:09:39 GMT

Hi @Mark_Heimer ,

you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable.

In this part of the Form, you can modify the name of the Notable.

About the app, Splunk PS hints to save own Correlation Searches in a dedicated custom app not in "SA-AccessProtection".

Ciao.

Giuseppe

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

Mark_Heimer — Tue, 10 Sep 2024 09:55:12 GMT

Hi dear Giuseppe,

when i clone a rule, Adaptive Response Actions options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the original rule. that's why i clone a rule.

second, i used to do so for a long time but never had come up with this problem. and as you mentioned earlier my custom rules were working just fine.

about the app, i used my custom app and "SA-AccessProtection" was my last try.

And for newly created custom app i do create notable.

thanks

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Tue, 10 Sep 2024 11:00:49 GMT

Hi @Mark_Heimer ,

obviously cloning a CS you have the same settings of the original one, so also the same Notable name.

My hint is to enter in the cloned Create Notable Adaptive Response Action, and modify the Notable Name, in this way, you'll have in the Incident View the modified name.

About the app to contain the custom CSs, this is an hint from PS.

Ciao.

Giuseppe

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

Mark_Heimer — Tue, 10 Sep 2024 13:22:57 GMT

Hi Giuseppe,

I did exactly what you said. but no luck!

In another try, I even created a search and saved it as an alert, named it "rule-4444" then added a notable to it as an action.

it appeared as "rule-4444" in the "Top Notable Events" in the Security Posture page. but when i click on it, it is redirected to incident review page but again all incidents listed.

the same thing as ravida says happening.

when u first click on it, you can see the notable name in the URL after (incident review page )"/incident_review?form.rule_name=rule-4444" followed by earliest/latest timestamps

but after a while when the page load completes it disappears and is replaced with a new URL which only has the earliest/latest values

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

Mark_Heimer — Wed, 11 Sep 2024 09:14:07 GMT

Hi,

Another strange thing that happens to me and i just realized is that when i refresh the page "incident Review" with correctly loaded filters and showing true notable results, the filter "source" becomes something like this:

source: Access%20-%20Excessive%20Failed%20Logins%20-%20Rule

And no results are shown on the page after page refresh.

thanks.

Re: Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

gcusello — Wed, 11 Sep 2024 09:41:20 GMT

Hi @Mark_Heimer ,

check how you created the drilldown filter, because these are html codes.

Ciao.

Giuseppe