Archive
Highlighted

Programatically setting severity within a search

Engager

I am writing a search that will track when the firewall sees outbound traffic over non-standard ports. I have a requirement that states if the destination ip is a known malicious domain, then the severity should be critical. Otherwise, it will be medium. I can certainly accomplish this by writing two searches (one for malicious domains, one for non-malicious domains), but was wondering if I could do it within one search.

Tags (3)
0 Karma
Highlighted

Re: Programatically setting severity within a search

Super Champion

You should look at the append or join command.
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Append

or

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Join

Another option would be to provide cleaned but representative search results that you want to combine.

0 Karma
Highlighted

Re: Programatically setting severity within a search

Communicator

I think you can manually set the severity field from within the correlation search (field name is "severity"). I would approach this by performing your lookup for known malicious domains and if true then set the severity to critical.

Something like might work:

...|lookup nastyiplist ip OUTPUT ip as nastyip|eval severity=if(len(nastyip)>0,"critical","medium")|...

0 Karma