Enterprise Security correlation search: If severit...

adamblock1 · ‎08-06-2014

I created a correlation search in Enterprise Security 2.4.1 which, when triggered, creates notable events with an urgency value of "medium" as opposed to "high". The details of the search follow:

Domain: Access
Application Context: SA-AccessProtection
Search:
Group_Name="admin" account_management | get_event_id | eval Group=Group_Domain + "\" + Group_Name | stats first(_raw) as orig_raw,first(event_id) as orig_event,count by signature,ComputerName,Group_Domain,Group_Name

Time Range: Start:-5m@m Finish: +5m@m
Cron Schedule: */5 * * * *
Rule Tile: Account Maintenance Detected - Admin Group $Group_Name$
Rule Description: Maintenance has been performed on the Admin Group $Group_Name$
Severity: high
Drill-down Name: View all changes to the group $Group_Name$
Drill-down Search: account_management | search signature=$signature$ Group_Domain=$Group_Domain$ Group_Name=$Group_Name$ ComputerName=$ComputerName$
Window Duration: 5m
Fields to Group By: EventCode, signature, ComputerName, Group_Domain, Group_Name

Being that the severity specified is "high", shouldn't the notable event also appear with an urgency of "high"?

Thank you.

LukeMurphey · ‎08-06-2014

The urgency is a calculation based on the severity of the correlation search and the asset's priority. See these docs for details.

adamblock1 · ‎08-06-2014

The assets have a priority of either medium or high. The correlation search is defined with a severity of high. It is my understanding that for both types of assets, the resulting urgency would be high.

Is this not the case?

Enterprise Security correlation search: If severity specified is "high", should notable event appear with urgency of "high"?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...