Alerting

Is it possible to have a token in the saved search name that will be completed based on contents of a field value?

MikeElliott
Communicator

Hi Team,

A potentially unusual question here! I'm working to develop a saved search that picks up GuardDuty alerts. The saved search needs to be mapped against a threat framework like MITRE ATT&CK, and I was wondering if I can be lazy and have "One Rule to Rule Them All" so to speak.

Does anyone know if it is possible to have a token in the saved search name that will be completed based on the contents of a field value?

Example GuardDuty event types:

  • Recon:IAMUser/ResourcePermissions
  • Recon:IAMUser/UserPermissions
  • Persistence:IAMUser/NetworkPermissions

I'd love to be able to then use something like a regex to extract the first and last parts of the event type and pass them to a token in the saved search name, e.g.

  • GuardDuty:Recon:ResourcePermissions:XXX:YYY:ZZZ
  • GuardDuty:Persistence:NetworkPermissions:XXX:YYY:ZZZ

Unfortunately, different alerts for different event types are not an option in this scenario and the only other alternative I can see is to have a generic word there, but that's not overly descriptive to someone picking up the alert.

This would also be taking place in Splunk Cloud, and so the only changes we can make are via the front-end GUI.

Has anyone got any suggestions?

Kind regards,
Mike

0 Karma
1 Solution

aberkow
Builder

From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:

$result.fieldname$:
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.

Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.

Hope this helps!

View solution in original post

woodcock
Esteemed Legend

I like @aberkow's answer but perhaps you are asking something slightly different (it really is unclear). You may not be aware that you can save searches with tokens in them and these searches are un-runable directly but other searches can run them so that the real code is all stored in one place. Search for replacement here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Savedsearch

aberkow
Builder

From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:

$result.fieldname$:
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.

Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.

Hope this helps!

MikeElliott
Communicator

Thank you for your answer - This was really helpful! 😄

0 Karma

jacksonrolfe1
Engager

@MikeElliott  Did you end up finding a solution too this?

0 Karma

MikeElliott
Communicator

So in theory, the tokenised saved search name would look like:

  • GuardDuty:$Token1$:$Token2$:XXX:YYY:ZZZ
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...