Security

Splunk issue report: Error in security domain settings in correlation searches and Incident Review page

tuts
Path Finder

While using Splunk ES, we noticed that correlation searches were set
To an incorrect security field on the Incident Review page. This leads to inaccurate classifications of events
Security and affects the decision-making process

The first step is to set security Domain = Access

tuts_0-1720872572968.png


The problem is that instead of being classified as security Domain = Access, it is classified as Theret, and so all cases are classified as Theret

tuts_1-1720872610012.png



This causes us a problem with the values ​​not appearing on the Security Posture page


tuts_2-1720872678035.png

 




Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Maybe someone tampered with your installation. This is from my lab with default settings:

PickleRick_0-1720878447531.png

2. Anyway, even if there was an error, the proper channel to report it is to create a Support case. This is a community-driven forum, not a support channel

0 Karma

tuts
Path Finder

tuts_0-1720881668246.jpeg

I have the same settings, it categorizes all...
Correlation with the value Threat  

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm tempted to say you're looking at a wrong correlation search. The one we're both looking into is a standard search defined in SA-AccessProtection called "Excessive Failed Logins", right?

And it should produce a notable with a title "Excessive Failed Logins". But your notables have a title "Access - login splunk - Rule". It is most probably something created in your environment (even more so because splunk is spelled with lowercase "S" so it's definitely not something provided by Splunk.

 

0 Karma

tuts
Path Finder

Yes, exactly, this is what I am surprised about, why does it add Access - login splunk - Rule although I did not modify the address is there a solution to this problem for me and I will be

2024-07-13 21_14_12-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-13 21_15_17-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg


I activated every rule but still the same problem all the results categorize Threat



grateful to you

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Don't just enable all Correlation Rules. You'll kill your ES installation

2. Try this to find the rule which creates your notables

| rest /services/saved/searches
| search action.notable.param.rule_title="Access - * - Rule"
| table title action.notable.param.rule_title action.notable.param.security_domain disabled eao:acl.app eai:acl.owner eai:acl.sharing |

 

0 Karma

tuts
Path Finder

2024-07-13 23_07_29-Search _ Splunk 9.2.1 and 15 more pages - Profile 1 - Microsoft​ Edge.jpg

 No results found

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Try

/serviceNS/-/-/

instead of

/services/
0 Karma

tuts
Path Finder

2024-07-14 08_49_28-Search _ Splunk 9.2.1 and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

 No results found

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Sorry, my typo. It's servicesNS (plural).

0 Karma

tuts
Path Finder

What should I do now to solve the problem

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...