Splunk Enterprise Security

Enterprise Security correlation search: If severity specified is "high", should notable event appear with urgency of "high"?

adamblock1
Explorer

I created a correlation search in Enterprise Security 2.4.1 which, when triggered, creates notable events with an urgency value of "medium" as opposed to "high". The details of the search follow:

Domain: Access
Application Context: SA-AccessProtection
Search:
Group_Name="admin" account_management | get_event_id | eval Group=Group_Domain + "\" + Group_Name | stats first(_raw) as orig_raw,first(event_id) as orig_event,count by signature,ComputerName,Group_Domain,Group_Name

Time Range: Start:-5m@m Finish: +5m@m
Cron Schedule: */5 * * * *
Rule Tile: Account Maintenance Detected - Admin Group $Group_Name$
Rule Description: Maintenance has been performed on the Admin Group $Group_Name$
Severity: high
Drill-down Name: View all changes to the group $Group_Name$
Drill-down Search: account_management | search signature=$signature$ Group_Domain=$Group_Domain$ Group_Name=$Group_Name$ ComputerName=$ComputerName$
Window Duration: 5m
Fields to Group By: EventCode, signature, ComputerName, Group_Domain, Group_Name

Being that the severity specified is "high", shouldn't the notable event also appear with an urgency of "high"?

Thank you.

0 Karma

LukeMurphey
Champion

The urgency is a calculation based on the severity of the correlation search and the asset's priority. See these docs for details.

0 Karma

adamblock1
Explorer

The assets have a priority of either medium or high. The correlation search is defined with a severity of high. It is my understanding that for both types of assets, the resulting urgency would be high.

Is this not the case?

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...