Alerting

Once vs For Each Notable Response Actions Clarification

mobrien1
Explorer

I wanted to get some clarification on how trigger conditions effect notable response actions for correlation searches in Enterprise Security. The trigger condition options are between "Once" and "For each Result", and I believe I understand the difference. However, under them there is a little blurb that says "Notable response actions and risk response actions are always triggered for each result."

mobrien1_0-1720722111909.png

To me, this essentially nullifies "Once" since the action will be triggered for each result. As a result, I fail to see how "Once" is any different than "For each Result". But surely they can't be the same. 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mobrien1 ,

I suppose that the meanng of the affermation is that e.g. risk score is counted for each value you can find in the results of your Correlation Search, so if you have more hosts in the results, the Risk Score is counted for all of them.

But, why did you posted this question?

Ciao.

Giuseppe

mobrien1
Explorer

I think I would agree with your first statement.

But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." effectively makes "Once" and "For each result" the same thing (at least in my mind). But they are two distinct options, so I feel like they can't be the same. This makes me think I'm misunderstanding something. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mobrien1 ,

maybe  "Once" and "For each result" became from Alerts.

I don't find any other answer.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

mobrien1
Explorer

Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") you select. I saw this post which is sort of similar, but no one responded to it. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...