While using Splunk ES, we noticed that correlation searches were set
To an incorrect security field on the Incident Review page. This leads to inaccurate classifications of events
Security and affects the decision-making process
The first step is to set security Domain = Access
The problem is that instead of being classified as security Domain = Access, it is classified as Theret, and so all cases are classified as Theret
This causes us a problem with the values not appearing on the Security Posture page
1. Maybe someone tampered with your installation. This is from my lab with default settings:
2. Anyway, even if there was an error, the proper channel to report it is to create a Support case. This is a community-driven forum, not a support channel
I have the same settings, it categorizes all...
Correlation with the value Threat
I'm tempted to say you're looking at a wrong correlation search. The one we're both looking into is a standard search defined in SA-AccessProtection called "Excessive Failed Logins", right?
And it should produce a notable with a title "Excessive Failed Logins". But your notables have a title "Access - login splunk - Rule". It is most probably something created in your environment (even more so because splunk is spelled with lowercase "S" so it's definitely not something provided by Splunk.
Yes, exactly, this is what I am surprised about, why does it add Access - login splunk - Rule although I did not modify the address is there a solution to this problem for me and I will be
I activated every rule but still the same problem all the results categorize Threat
grateful to you
1. Don't just enable all Correlation Rules. You'll kill your ES installation
2. Try this to find the rule which creates your notables
| rest /services/saved/searches
| search action.notable.param.rule_title="Access - * - Rule"
| table title action.notable.param.rule_title action.notable.param.security_domain disabled eao:acl.app eai:acl.owner eai:acl.sharing |
No results found
Try
/serviceNS/-/-/
instead of
/services/
No results found
Sorry, my typo. It's servicesNS (plural).
What should I do now to solve the problem