Hi Team,
A potentially unusual question here! I'm working to develop a saved search that picks up GuardDuty alerts. The saved search needs to be mapped against a threat framework like MITRE ATT&CK, and I was wondering if I can be lazy and have "One Rule to Rule Them All" so to speak.
Does anyone know if it is possible to have a token in the saved search name that will be completed based on the contents of a field value?
Example GuardDuty event types:
I'd love to be able to then use something like a regex to extract the first and last parts of the event type and pass them to a token in the saved search name, e.g.
Unfortunately, different alerts for different event types are not an option in this scenario and the only other alternative I can see is to have a generic word there, but that's not overly descriptive to someone picking up the alert.
This would also be taking place in Splunk Cloud, and so the only changes we can make are via the front-end GUI.
Has anyone got any suggestions?
Kind regards,
Mike
From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:
$result.fieldname$
:
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.
Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.
Hope this helps!
I like @aberkow's answer but perhaps you are asking something slightly different (it really is unclear). You may not be aware that you can save searches with tokens in them and these searches are un-runable directly but other searches can run them so that the real code is all stored in one place. Search for replacement
here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Savedsearch
From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:
$result.fieldname$
:
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.
Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.
Hope this helps!
Thank you for your answer - This was really helpful! 😄
@MikeElliott Did you end up finding a solution too this?
So in theory, the tokenised saved search name would look like: