Security

Splunk issue report: Error in security domain settings in correlation searches and Incident Review page

tuts
Path Finder

While using Splunk ES, we noticed that correlation searches were set
To an incorrect security field on the Incident Review page. This leads to inaccurate classifications of events
Security and affects the decision-making process

The first step is to set security Domain = Access

tuts_0-1720872572968.png


The problem is that instead of being classified as security Domain = Access, it is classified as Theret, and so all cases are classified as Theret

tuts_1-1720872610012.png



This causes us a problem with the values ​​not appearing on the Security Posture page


tuts_2-1720872678035.png

 




Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Maybe someone tampered with your installation. This is from my lab with default settings:

PickleRick_0-1720878447531.png

2. Anyway, even if there was an error, the proper channel to report it is to create a Support case. This is a community-driven forum, not a support channel

0 Karma

tuts
Path Finder

tuts_0-1720881668246.jpeg

I have the same settings, it categorizes all...
Correlation with the value Threat  

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm tempted to say you're looking at a wrong correlation search. The one we're both looking into is a standard search defined in SA-AccessProtection called "Excessive Failed Logins", right?

And it should produce a notable with a title "Excessive Failed Logins". But your notables have a title "Access - login splunk - Rule". It is most probably something created in your environment (even more so because splunk is spelled with lowercase "S" so it's definitely not something provided by Splunk.

 

0 Karma

tuts
Path Finder

Yes, exactly, this is what I am surprised about, why does it add Access - login splunk - Rule although I did not modify the address is there a solution to this problem for me and I will be

2024-07-13 21_14_12-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-13 21_15_17-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg


I activated every rule but still the same problem all the results categorize Threat



grateful to you

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Don't just enable all Correlation Rules. You'll kill your ES installation

2. Try this to find the rule which creates your notables

| rest /services/saved/searches
| search action.notable.param.rule_title="Access - * - Rule"
| table title action.notable.param.rule_title action.notable.param.security_domain disabled eao:acl.app eai:acl.owner eai:acl.sharing |

 

0 Karma

tuts
Path Finder

2024-07-13 23_07_29-Search _ Splunk 9.2.1 and 15 more pages - Profile 1 - Microsoft​ Edge.jpg

 No results found

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Try

/serviceNS/-/-/

instead of

/services/
0 Karma

tuts
Path Finder

2024-07-14 08_49_28-Search _ Splunk 9.2.1 and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

 No results found

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Sorry, my typo. It's servicesNS (plural).

0 Karma

tuts
Path Finder

What should I do now to solve the problem

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...