Splunk Enterprise Security

ES notable urgency changing for old notables.

AK007
Engager

Hi, 

We have correlation search with action as notable. Initially we made it low Severity on notable to monitor and set threshold . when we changed the severity to high for same notable all the old low severity notable events changed to High automatically.  (this search is on data model so dose not have any eval urgency in search).

How to avoid changing old notable event severity  ? we just want new alerts to be with high urgency not change the old once. 

 

0 Karma
1 Solution

Jhunter
Explorer

This is expected behavior as ES stores a correlation search's notable event severity in lookup table (correlationsearches_lookup) so the severity gets changed for all.


Use SPL in the correlation search to assign severity:

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

If you just want all new notables from this use case to be high (and not old ones) just use a an eval. Or you can expand on the eval to custom adjust the severity:

| eval severity="high"

Even if you're using the datamodel command or tstats against a data model, you can still fit this in a pipe somewhere without affecting the searching

tstats count something FROM someDataModel by somethingElse 
| where other stuff and magic
| eval severity="high"

View solution in original post

thambisetty
Super Champion

Notable modular alerts actions values are not written to index=notable. To display severity or priority or urgency, Incident review will perform rest query to get values of correlation search and display in Incident review.

However, I believe there is an option to overwrite severity from in-line search of correlation search.

just add below line to your correlation search.

| eval severity="informational/high/low"

 

————————————
If this helps, give a like below.

Jhunter
Explorer

This is expected behavior as ES stores a correlation search's notable event severity in lookup table (correlationsearches_lookup) so the severity gets changed for all.


Use SPL in the correlation search to assign severity:

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

If you just want all new notables from this use case to be high (and not old ones) just use a an eval. Or you can expand on the eval to custom adjust the severity:

| eval severity="high"

Even if you're using the datamodel command or tstats against a data model, you can still fit this in a pipe somewhere without affecting the searching

tstats count something FROM someDataModel by somethingElse 
| where other stuff and magic
| eval severity="high"

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
AFAIK, that's how ES functions and there's no way to change it.
---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!