Alerting

Is it possible to have a token in the saved search name that will be completed based on contents of a field value?

Communicator

Hi Team,

A potentially unusual question here! I'm working to develop a saved search that picks up GuardDuty alerts. The saved search needs to be mapped against a threat framework like MITRE ATT&CK, and I was wondering if I can be lazy and have "One Rule to Rule Them All" so to speak.

Does anyone know if it is possible to have a token in the saved search name that will be completed based on the contents of a field value?

Example GuardDuty event types:

  • Recon:IAMUser/ResourcePermissions
  • Recon:IAMUser/UserPermissions
  • Persistence:IAMUser/NetworkPermissions

I'd love to be able to then use something like a regex to extract the first and last parts of the event type and pass them to a token in the saved search name, e.g.

  • GuardDuty:Recon:ResourcePermissions:XXX:YYY:ZZZ
  • GuardDuty:Persistence:NetworkPermissions:XXX:YYY:ZZZ

Unfortunately, different alerts for different event types are not an option in this scenario and the only other alternative I can see is to have a generic word there, but that's not overly descriptive to someone picking up the alert.

This would also be taking place in Splunk Cloud, and so the only changes we can make are via the front-end GUI.

Has anyone got any suggestions?

Kind regards,
Mike

0 Karma
1 Solution

Builder

From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:

$result.fieldname$:
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.

Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.

Hope this helps!

View solution in original post

Esteemed Legend

I like @aberkow's answer but perhaps you are asking something slightly different (it really is unclear). You may not be aware that you can save searches with tokens in them and these searches are un-runable directly but other searches can run them so that the real code is all stored in one place. Search for replacement here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Savedsearch

Builder

From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:

$result.fieldname$:
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.

Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.

Hope this helps!

View solution in original post

Communicator

Thank you for your answer - This was really helpful! 😄

0 Karma

Communicator

So in theory, the tokenised saved search name would look like:

  • GuardDuty:$Token1$:$Token2$:XXX:YYY:ZZZ
0 Karma