Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk issue report: Error in security domain settings in correlation searches and Incident Review page

tuts
Path Finder
‎07-13-2024 05:15 AM

While using Splunk ES, we noticed that correlation searches were set
To an incorrect security field on the Incident Review page. This leads to inaccurate classifications of events
Security and affects the decision-making process

The first step is to set security Domain = Access

tuts_0-1720872572968.png


The problem is that instead of being classified as security Domain = Access, it is classified as Theret, and so all cases are classified as Theret

tuts_1-1720872610012.png



This causes us a problem with the values ​​not appearing on the Security Posture page


tuts_2-1720872678035.png

 




Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-13-2024 06:48 AM

1. Maybe someone tampered with your installation. This is from my lab with default settings:

PickleRick_0-1720878447531.png

2. Anyway, even if there was an error, the proper channel to report it is to create a Support case. This is a community-driven forum, not a support channel

0 Karma
Reply

tuts
Path Finder
‎07-13-2024 07:43 AM

tuts_0-1720881668246.jpeg

I have the same settings, it categorizes all...
Correlation with the value Threat  

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-13-2024 10:15 AM

I'm tempted to say you're looking at a wrong correlation search. The one we're both looking into is a standard search defined in SA-AccessProtection called "Excessive Failed Logins", right?

And it should produce a notable with a title "Excessive Failed Logins". But your notables have a title "Access - login splunk - Rule". It is most probably something created in your environment (even more so because splunk is spelled with lowercase "S" so it's definitely not something provided by Splunk.

 

0 Karma
Reply

tuts
Path Finder
‎07-13-2024 11:17 AM

Yes, exactly, this is what I am surprised about, why does it add Access - login splunk - Rule although I did not modify the address is there a solution to this problem for me and I will be

2024-07-13 21_14_12-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-13 21_15_17-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg


I activated every rule but still the same problem all the results categorize Threat



grateful to you

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-13-2024 12:17 PM

1. Don't just enable all Correlation Rules. You'll kill your ES installation

2. Try this to find the rule which creates your notables

| rest /services/saved/searches
| search action.notable.param.rule_title="Access - * - Rule"
| table title action.notable.param.rule_title action.notable.param.security_domain disabled eao:acl.app eai:acl.owner eai:acl.sharing |

 

0 Karma
Reply

tuts
Path Finder
‎07-13-2024 01:08 PM

2024-07-13 23_07_29-Search _ Splunk 9.2.1 and 15 more pages - Profile 1 - Microsoft​ Edge.jpg

 No results found

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-13-2024 03:44 PM

Try

/serviceNS/-/-/

instead of

/services/
0 Karma
Reply

tuts
Path Finder
‎07-13-2024 10:51 PM

2024-07-14 08_49_28-Search _ Splunk 9.2.1 and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

 No results found

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2024 02:14 AM

Sorry, my typo. It's servicesNS (plural).

0 Karma
Reply

tuts
Path Finder
‎07-14-2024 10:10 AM

What should I do now to solve the problem

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...