Solved: Splunk Enterprise Security passing fields in notab...

splunky_diamond · ‎05-19-2024

Hello Splunkers!

I have built my own correlation search:

From which I am generating a notable. In that notable I want to pass some fields using the $

I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason:

Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue.

Thanks for taking your time reading and replying to my post ❤️

gcusello · ‎05-19-2024

Hi @splunky_diamond ,

I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review.
The example you gave is of the first type, but, if I correctly understand, you want to display other fields in the Notable information.
to do this you must add these fields to the Correlation Search results (e.g. as values in the stats command), so that they are written in the Notable event and then, go to [Configure > Incident Review>Incident Settings] and add these fields to those displayed (if they were not already present).

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-19-2024

Hi @splunky_diamond ,

I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review.
The example you gave is of the first type, but, if I correctly understand, you want to display other fields in the Notable information.
to do this you must add these fields to the Correlation Search results (e.g. as values in the stats command), so that they are written in the Notable event and then, go to [Configure > Incident Review>Incident Settings] and add these fields to those displayed (if they were not already present).

Ciao.

Giuseppe

splunky_diamond · ‎05-20-2024

@gcusello , I tried your suggestion, it worked for the "fudo_session" field, thank you!

However, I tried the same on "dvc" field and it does not work for some reason...

I tried extracting new field called "node_address" and added it to my search in the following way:

index=fudo_index completed_action="deleted session."
| stats values("node_address") as address values("user") as user values("fudo_session") as session values("completed_action") as "completed action" count("completed_action") as counter
| where 'counter'>0

And in the title of the notable I have the following:

Deleted recorded session $session$ detected on $address$

Also I added both fields in the incident review settings as you said.

Here is the result:

The value that should appear instead of "$address$" is the IPv4 address. When I was extracting the field node_address, I did it in the enterprise security app in the search. For the permissions I made it global with everyone being able to read and only admin with write permissions (just like fudo_session field).

If both of them are completely identical, why isn't this field getting evaluated like fudo_session? Could you please help with troubleshooting this?

gcusello · ‎05-20-2024

Hi @splunky_diamond,

probably this isn't the issue, but why do you use quotes?

index=fudo_index completed_action="deleted session."
| stats 
     values(node_address) AS address 
     values(user) AS user 
     values(fudo_session) AS session 
     values(completed_action) AS "completed action" 
     count(completed_action) AS counter
| where counter>0

quots are mandatory when you have spaces or special chars in the field names.

Then, why don't you use an aggregation key (the BY clause)?

I'd try with something like this:

index=fudo_index completed_action="deleted session."
| stats 
     values(user) AS user 
     values(fudo_session) AS session 
     values(completed_action) AS "completed action" 
     count(completed_action) AS counter
     BY node_address
| where counter>0
| rename node_address AS address

Ciao.

Giuseppe

splunky_diamond · ‎05-20-2024

@gcusello , I used quotes when I was trying different cases, with hope that maybe adding them might somehow solve my problem, haha!

Anyways, I tried the last search that you provided :

index=fudo_index completed_action="deleted session." | stats values(user) AS user values(fudo_session) AS session values(completed_action) AS "completed action" count(completed_action) AS counter BY node_address | where counter>0 | rename node_address AS address

Unfortunately, it didn't help the situation. the $address$ is still not resolved. By the way, it does not matter whether I try with this new field that I extracted, or if I try with the $dest$ or $dvc$ that were parsed in my logs from the beginning, for some reason neither of them resolve in the notable title 😞

Do you have any other ideas what I can check in order to solve my issue?

Cheers,
splunky_diamond

gcusello · ‎05-20-2024

Hi @splunky_diamond,

dest and dvc aren't in the Correlation Search, so it's correct.

Instead, address, shouldbe displayed.

Ciao.

Giuseppe

splunky_diamond · ‎05-20-2024

Hello @gcusello
Update: it actually did work! I just got new notable generated and the field value passed successfully!
Thank you very much!

gcusello · ‎05-20-2024

Hi @splunky_diamond ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Splunk Enterprise Security passing fields in notable settings

index

Linux

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!