Splunk Enterprise Security

How does Splunk define and assign urgency in Splunk Enterprise Security?

bettymh
New Member

Hello everyone

I'm using Splunk Enterprise Security, and at the first sight, I saw urgency which includes: "critical, high, medium, law, info"

How are these actions divided to these groups? Is there any code behind it as the code in investigations which we could change them manually?

0 Karma

AnthonyTibaldi
Path Finder

You wrote

"but...
to clear my meaning, my exact question is how it can understand these priority and severity?

for example there is a medium risk attack, and splunk understand it as a medium...right? how they do it exactly?
or maybe it is critical but they said high, we can change them manually! so there must be something, or some code behind it! to define them as a priority and severity!"

Splunk assigns ugency by mapping the assigned severity to the assigned priority of the asset for the various correlation searches.

It is important to check the chart given in the answer above by koshyk . I found most of our assets were classified as unknown therefore lowering the urgency of the alert.

What we did to fix this situation was to change the columns so that ugency matched the assigned severity. This may not have been the best solution but it solved our issue. We were then easily able to map the urgency on the incident review dashboard to the expected severity in the correlation search as it no longer considered the asset in making the determination.

Hope this helps.

koshyk
Super Champion

hi,
Urgency is a combination of
1. Priority of the Device when you build your assets (You can fetch from external sources (eg cmdb) or assign manually. Doc link)
2. Severity of the use-case ( You define them when you write the use case/co-relation search)
Matrix attached below. Further details of how it can be done etc is show here

alt text

bettymh
New Member

Thank you a lot koshyk (@koshyk)

but...
to clear my meaning, my exact question is how it can understand these priority and severity?

for example there is a medium risk attack, and splunk understand it as a medium...right? how they do it exactly?
or maybe it is critical but they said high, we can change them manually! so there must be something, or some code behind it! to define them as a priority and severity!

0 Karma

koshyk
Super Champion

hi, I've added bit more description to my answer on how to assign them. If you think it is ok, please mark it as answer. cheers

0 Karma

rxie_splunk
Splunk Employee
Splunk Employee

Will the search command help you?

From Incident Review dashboard, click Job -> Inspect Job on the timeline chart
A new window opens. Click search.log link at the top
Text search for 'SearchParser - AFTER EXPANDING MACROS' and you will see the SPL search command there.
Copy the command and run it in the Search and you will see how these data computed

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...