Getting Data In

Splunk Enterprise Security passing fields in notable settings

splunky_diamond
Path Finder

Hello Splunkers!

I have built my own correlation search:

splunky_diamond_0-1716182599645.png


From which I am generating a notable. In that notable I want to pass some fields using the $

splunky_diamond_1-1716182670751.png

 

I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason: 

splunky_diamond_2-1716182815413.png

 

Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue.

Thanks for taking your time reading and replying to my post ❤️



Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review.
The example you gave is of the first type, but, if I correctly understand, you want to display other fields in the Notable information.
to do this you must add these fields to the Correlation Search results (e.g. as values in the stats command), so that they are written in the Notable event and then, go to [Configure > Incident Review>Incident Settings] and add these fields to those displayed (if they were not already present).

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review.
The example you gave is of the first type, but, if I correctly understand, you want to display other fields in the Notable information.
to do this you must add these fields to the Correlation Search results (e.g. as values in the stats command), so that they are written in the Notable event and then, go to [Configure > Incident Review>Incident Settings] and add these fields to those displayed (if they were not already present).

Ciao.

Giuseppe

splunky_diamond
Path Finder

@gcusello , I tried your suggestion, it worked for the "fudo_session" field, thank you!

However, I tried the same on "dvc" field and it does not work for some reason... 

I tried extracting new field called "node_address" and added it to my search in the following way:

index=fudo_index completed_action="deleted session."
| stats values("node_address") as address values("user") as user values("fudo_session") as session values("completed_action") as "completed action" count("completed_action") as counter
| where 'counter'>0

And in the title of the notable I have the following: 

Deleted recorded session $session$ detected on $address$

Also I added both fields in the incident review settings as you said. 

Here is the result: 

splunky_diamond_0-1716196657657.png


The value that should appear instead of "$address$" is the IPv4 address. When I was extracting the field node_address, I did it in the enterprise security app in the search. For the permissions I made it global with everyone being able to read and only admin with write permissions (just like fudo_session field).

If both of them are completely identical, why isn't this field getting evaluated like fudo_session? Could you please help with troubleshooting this?


0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond,

probably this isn't the issue, but why do you use quotes?

index=fudo_index completed_action="deleted session."
| stats 
     values(node_address) AS address 
     values(user) AS user 
     values(fudo_session) AS session 
     values(completed_action) AS "completed action" 
     count(completed_action) AS counter
| where counter>0

quots are mandatory when you have spaces or special chars in the field names.

Then, why don't you use an aggregation key (the BY clause)?

I'd try with something like this:

index=fudo_index completed_action="deleted session."
| stats 
     values(user) AS user 
     values(fudo_session) AS session 
     values(completed_action) AS "completed action" 
     count(completed_action) AS counter
     BY node_address
| where counter>0
| rename node_address AS address

Ciao.

Giuseppe

0 Karma

splunky_diamond
Path Finder

@gcusello , I used quotes when I was trying different cases, with hope that maybe adding them might somehow solve my problem, haha! 

Anyways, I tried the last search that you provided :

index=fudo_index completed_action="deleted session." | stats values(user) AS user values(fudo_session) AS session values(completed_action) AS "completed action" count(completed_action) AS counter BY node_address | where counter>0 | rename node_address AS address

Unfortunately, it didn't help the situation. the $address$ is still not resolved. By the way, it does not matter whether I try with this new field that I extracted, or if I try with the $dest$ or $dvc$ that were parsed in my logs from the beginning, for some reason neither of them resolve in the notable title 😞

Do you have any other ideas what I can check in order to solve my issue?

Cheers,
splunky_diamond

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond,

dest and dvc aren't in the Correlation Search, so it's correct.

Instead, address, shouldbe displayed.

Ciao.

Giuseppe

0 Karma

splunky_diamond
Path Finder

Hello @gcusello 
Update: it actually did work! I just got new notable generated and the field value passed successfully!
Thank you very much! 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...