Hi folks,
This has been bugging me for a while. When I click on a custom-made correlation search in the Security Posture's Top Notable Events dashboard pane, it doesn't filter for that rule name in the incident review, it just shows all of them. Where do I configure it to drill down properly?
Thanks!
Hi there,
the same story is true for me. Actually after updating ESCU to 4330.
Not only for custom correlation search rules but for cloned rules.
before that everything was ok!
when u clone a built-in rule e.g "Excessive Failed Logins" to something like "Excessive Failed Logins- Custom", in Security Posture's Top Notable Events dashboard pane it appears like "Access - Excessive Failed Logins- Custom - Rule" and when u click on it to open in incident review, it doesn't filter out this as selected source but all incidents are listed as if no filter is selected.
Hi @Mark_Heimer ,
did you modified only the Correlation Search name or also the Notable name?
in the Incident Review name you see the Notable name not the Correlations Search name.
In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation.
Ciao.
Giuseppe
Hi dear Giuseppe,
thanks for fast reply.
here is what i did.
I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-down list. then from "Actions" on the top right corner i hit "Clone".
in the new window there are "New Search Label" which i add "- custom" to the end of it. then i select the App and put it on "SA-AccessProtection".
next in "Edit Correlation Search " i will make any change to the "Search" and click save. Done!
this is all i do.
The point is even if i enable both of them, the two will appear in the "Top Notable Events" pane and both are working simultaneously. clicking on the original rule redirects u to the "Incident Review" page with the correct rule selected as source. but when clicking on the cloned or newly created rule you'll be redirected to the "Incident Review" page with all incidents listed and source field has no selected value.
the strange part is that rules that i had created or cloned in the past (about ) are working fine.
Hi @Mark_Heimer ,
you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable.
In this part of the Form, you can modify the name of the Notable.
About the app, Splunk PS hints to save own Correlation Searches in a dedicated custom app not in "SA-AccessProtection".
Ciao.
Giuseppe
Hi dear Giuseppe,
when i clone a rule, Adaptive Response Actions options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the original rule. that's why i clone a rule.
second, i used to do so for a long time but never had come up with this problem. and as you mentioned earlier my custom rules were working just fine.
about the app, i used my custom app and "SA-AccessProtection" was my last try.
And for newly created custom app i do create notable.
thanks
Hi @Mark_Heimer ,
obviously cloning a CS you have the same settings of the original one, so also the same Notable name.
My hint is to enter in the cloned Create Notable Adaptive Response Action, and modify the Notable Name, in this way, you'll have in the Incident View the modified name.
About the app to contain the custom CSs, this is an hint from PS.
Ciao.
Giuseppe
Hi,
Another strange thing that happens to me and i just realized is that when i refresh the page "incident Review" with correctly loaded filters and showing true notable results, the filter "source" becomes something like this:
source: Access%20-%20Excessive%20Failed%20Logins%20-%20Rule
And no results are shown on the page after page refresh.
thanks.
Hi @Mark_Heimer ,
check how you created the drilldown filter, because these are html codes.
Ciao.
Giuseppe
Hi Giuseppe,
I did exactly what you said. but no luck!
In another try, I even created a search and saved it as an alert, named it "rule-4444" then added a notable to it as an action.
it appeared as "rule-4444" in the "Top Notable Events" in the Security Posture page. but when i click on it, it is redirected to incident review page but again all incidents listed.
the same thing as ravida says happening.
when u first click on it, you can see the notable name in the URL after (incident review page )"/incident_review?form.rule_name=rule-4444" followed by earliest/latest timestamps
but after a while when the page load completes it disappears and is replaced with a new URL which only has the earliest/latest values
They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.
Hi @ravida,
I never experienced this behavior and I'm using many custom Correlation Searches,
Is this issue present for all the CS or only for that?
Ciao.
Giuseppe
It happens for all of them.
The strange part is, when i first click, you can see the notable name in the URL after "/incident_review?form.rule_name=(rule name)" followed by earliest/latest timestamos
but after a moment it disappears and is replaced with a new URL which only has the earliest/latest values
Hi @ravida ,
as I said, I never experienced this behavior and I'm using many custom Correlation Searches,
Open a case to Splunk Support.
Ciao.
Giuseppe
Hi @ravida ,
when you created the Correlation Search, did you associate the "Add Notable" Adaptive Response Action?
Then, when you configure the Add Notable Adaptive Response Action, did you created the Drilldown Search?
Ciao.
Giuseppe
They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.