Splunk Enterprise Security

How can I view the source index where Splunk Enterprise Security take the event?

sami2
New Member

I need to know where i can view the source index of the event that Splunk Enterprise Security take to make an alert, because is showing me that is from risk index.

0 Karma

hettervi
Builder

If you want index to be included as a field in the incident itself, you could add "index" as an incident review event attribute.

Configure > Incident Management > Incident Review Settings > Incident Review - Event Attributes

For this to work you would also have to make sure that the index field is included in the output of your correlation searches as well. This would require edits to a lot of the out-of-the-box correlation searches that use the tstats command on data models.

0 Karma

xeaon
Explorer

It depends. Often alerts are fired based on the output correlation searches and these are usually baked by data models.

The easiest way would be to check if your incident review event has shows something like the original sourcetype. From there you should find the source index relatively quickly.

Another option would be to check the actual SPL in the given correlation search in each incident review event. You'll see, which datamodel/s is/are used to get the data from. From here, you could either look for the specific datamodels in your

Enterprise Security -> Configuration -> CIM Setup

or in

Global Settings -> Advanced Search -> Search Macros -> cim_[Datamodel]_indexes

 

 

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...