Splunk Enterprise Security
Highlighted

Enterprise Security correlation search: If severity specified is "high", should notable event appear with urgency of "high"?

Explorer

I created a correlation search in Enterprise Security 2.4.1 which, when triggered, creates notable events with an urgency value of "medium" as opposed to "high". The details of the search follow:

Domain: Access
Application Context: SA-AccessProtection
Search:
GroupName="admin" `accountmanagement|geteventid` | eval Group=GroupDomain + "\" + GroupName | stats first(raw) as origraw,first(eventid) as origevent,count by signature,ComputerName,GroupDomain,GroupName

Time Range: Start:-5m@m Finish: +5m@m
Cron Schedule: */5 * * * *
Rule Tile: Account Maintenance Detected - Admin Group $GroupName$
Rule Description: Maintenance has been performed on the Admin Group $Group
Name$
Severity: high
Drill-down Name: View all changes to the group $GroupName$
Drill-down Search: `account
management` | search signature=$signature$ GroupDomain=$GroupDomain$ GroupName=$GroupName$ ComputerName=$ComputerName$
Window Duration: 5m
Fields to Group By: EventCode, signature, ComputerName, GroupDomain, GroupName

Being that the severity specified is "high", shouldn't the notable event also appear with an urgency of "high"?

Thank you.

0 Karma
Highlighted

Re: Enterprise Security correlation search: If severity specified is "high", should notable event appear with urgency of "high"?

Champion

The urgency is a calculation based on the severity of the correlation search and the asset's priority. See these docs for details.

0 Karma
Highlighted

Re: Enterprise Security correlation search: If severity specified is "high", should notable event appear with urgency of "high"?

Explorer

The assets have a priority of either medium or high. The correlation search is defined with a severity of high. It is my understanding that for both types of assets, the resulting urgency would be high.

Is this not the case?

0 Karma