Dashboards & Visualizations

Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

ravida
Explorer

Hi folks,

 

This has been bugging me for a while. When I click on a custom-made correlation search in the Security Posture's Top Notable Events dashboard pane, it doesn't filter for that rule name in the incident review, it just shows all of them. Where do I configure it to drill down properly?

 

Thanks!

 

Labels (2)
Tags (2)
0 Karma

Mark_Heimer
Engager

Hi there,

the same story is true for me. Actually after updating ESCU to 4330.
Not only for custom correlation search rules but for cloned rules.
before that everything was ok!
when u clone a built-in rule e.g "Excessive Failed Logins" to something like "Excessive Failed Logins- Custom", in Security Posture's Top Notable Events dashboard pane it appears like "Access - Excessive Failed Logins- Custom - Rule" and when u click on it to open in incident review, it doesn't filter out this as selected source but all incidents are listed as if no filter is selected.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mark_Heimer ,

did you modified only the Correlation Search name or also the Notable name?

in the Incident Review name you see the Notable name not the Correlations Search name.

In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation.

Ciao.

Giuseppe

0 Karma

Mark_Heimer
Engager

Hi dear Giuseppe,

thanks for fast reply.

here is what i did.

I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-down list. then from "Actions" on the top right corner i hit "Clone".

in the new window there are "New Search Label" which i add "- custom"  to the end of it. then i select the App and put it on "SA-AccessProtection".

next in "Edit Correlation Search " i  will make any change to the "Search" and click save. Done!

this is all i do.

The point is even if i enable both of them, the two will appear in the "Top Notable Events" pane and both are working simultaneously. clicking on the original rule redirects u to the "Incident Review" page with the correct rule selected as source. but when clicking on the cloned or newly created rule you'll be redirected to the "Incident Review" page with all incidents listed and source field has no selected value.

the strange part is that rules that i had created or cloned in the past (about ) are working fine.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mark_Heimer ,

you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable.

In this part of the Form, you can modify the name of the Notable.

About the app, Splunk PS hints to save own Correlation Searches in a dedicated custom app not in "SA-AccessProtection".

Ciao.

Giuseppe

0 Karma

Mark_Heimer
Engager

Hi  dear Giuseppe,

when i clone a rule, Adaptive Response Actions  options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the original rule. that's why i clone a rule.

second, i used to do so for a long time but never had come up with this problem. and as you mentioned earlier my custom rules were working just fine.

about the app, i used my custom app and "SA-AccessProtection" was my last try.

And for newly created custom app i do create notable.

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mark_Heimer ,

obviously cloning a CS you have the same settings of the original one, so also the same Notable name.

My hint is to enter in the cloned Create Notable Adaptive Response Action, and modify the Notable Name, in this way, you'll have in the Incident View the modified name.

About the app to contain the custom CSs, this is an hint from PS.

Ciao.

Giuseppe

Mark_Heimer
Engager

Hi,

Another strange thing that happens to me and i just realized is that when i refresh the page "incident Review" with correctly loaded filters and showing true notable results, the filter "source" becomes something like this:

source: Access%20-%20Excessive%20Failed%20Logins%20-%20Rule

And no results are shown on the page after page refresh.

thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mark_Heimer ,

check how you created the drilldown filter, because these are html codes.

Ciao.

Giuseppe

0 Karma

Mark_Heimer
Engager

Hi Giuseppe,

I did exactly what you said. but no luck!

In another try, I even created a search and saved it as an alert, named it "rule-4444" then added a notable to it as an action.

it appeared as "rule-4444" in the "Top Notable Events" in the Security Posture page. but when i click on it, it is redirected to incident review page but again all incidents listed.

the same thing as ravida says happening.

when u first click on it, you can see the notable name in the URL after (incident review page )"/incident_review?form.rule_name=rule-4444" followed by earliest/latest timestamps

but after a while when the page load completes it disappears and is replaced with a new URL which only has the earliest/latest values

0 Karma

ravida
Explorer

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravida,

I never experienced this behavior and I'm using many custom Correlation Searches,

Is this issue present for all the CS or only for that?

Ciao.

Giuseppe

 

0 Karma

ravida
Explorer

It happens for all of them.

 

The strange part is, when i first click, you can see the notable name in the URL after "/incident_review?form.rule_name=(rule name)" followed by earliest/latest timestamos

but after a moment it disappears and is replaced with a new URL which only has the earliest/latest values 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravida ,

as I said, I never experienced this behavior and I'm using many custom Correlation Searches,

Open a case to Splunk Support.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravida ,

when you created the Correlation Search, did you associate the "Add Notable" Adaptive Response Action?

Then, when you configure the Add Notable Adaptive Response Action, did you created the Drilldown Search?

Ciao.

Giuseppe

0 Karma

ravida
Explorer

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...