Splunk Enterprise Security

Enterprise Security incident urgency showing "informational" when I set correlation rule notable to "high"?

ravida
Explorer

Hi folks,

I created a correlation search that looks for administrators setting passwords to never expire, which then creates a notable event for incident review. I tried setting the severity to both "high" and "critical", but when the notable is created the urgency field shows up only as "informational".

When I test the rule, I did it against on accounts that show up as both "high" and "critical" priority in the Identity Investigator, data I enrich via Active Directory.

I checked the lookup table for urgency_lookup and it is as you would expect, nothing is different than the default that would make it calculate to informational. What may I be missing?

 

Thanks!

0 Karma
1 Solution

meetmshah
Builder

Hello @ravida, If you have already checked urgency_lookup along with severity and priority of the assets/identities - there is nothing much to check. Except

  • Validate you are looking over and updating the correct correlation search
  • New notables are generated if you have updated priority / severity (Existing urgency would not be updated)

View solution in original post

meetmshah
Builder

Hello @ravida, If you have already checked urgency_lookup along with severity and priority of the assets/identities - there is nothing much to check. Except

  • Validate you are looking over and updating the correct correlation search
  • New notables are generated if you have updated priority / severity (Existing urgency would not be updated)

meetmshah
Builder

Hello, Just checking through if the issue was resolved or if you have any further questions?

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...