Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does Splunk define and assign urgency in Splunk Enterprise Security?

bettymh
New Member
‎12-11-2016 05:09 AM

Hello everyone

I'm using Splunk Enterprise Security, and at the first sight, I saw urgency which includes: "critical, high, medium, law, info"

How are these actions divided to these groups? Is there any code behind it as the code in investigations which we could change them manually?

0 Karma
Reply

AnthonyTibaldi
Path Finder
‎12-12-2016 11:19 AM

You wrote

"but...
to clear my meaning, my exact question is how it can understand these priority and severity?

for example there is a medium risk attack, and splunk understand it as a medium...right? how they do it exactly?
or maybe it is critical but they said high, we can change them manually! so there must be something, or some code behind it! to define them as a priority and severity!"

Splunk assigns ugency by mapping the assigned severity to the assigned priority of the asset for the various correlation searches.

It is important to check the chart given in the answer above by koshyk . I found most of our assets were classified as unknown therefore lowering the urgency of the alert.

What we did to fix this situation was to change the columns so that ugency matched the assigned severity. This may not have been the best solution but it solved our issue. We were then easily able to map the urgency on the incident review dashboard to the expected severity in the correlation search as it no longer considered the asset in making the determination.

Hope this helps.

Reply

koshyk
Super Champion
‎12-11-2016 07:55 AM

hi,
Urgency is a combination of
1. Priority of the Device when you build your assets (You can fetch from external sources (eg cmdb) or assign manually. Doc link)
2. Severity of the use-case ( You define them when you write the use case/co-relation search)
Matrix attached below. Further details of how it can be done etc is show here

alt text

Preview file
1 KB
Reply

bettymh
New Member
‎12-11-2016 10:24 PM

Thank you a lot koshyk (@koshyk)

but...
to clear my meaning, my exact question is how it can understand these priority and severity?

for example there is a medium risk attack, and splunk understand it as a medium...right? how they do it exactly?
or maybe it is critical but they said high, we can change them manually! so there must be something, or some code behind it! to define them as a priority and severity!

0 Karma
Reply

koshyk
Super Champion
‎12-12-2016 12:46 PM

hi, I've added bit more description to my answer on how to assign them. If you think it is ok, please mark it as answer. cheers

0 Karma
Reply

rxie_splunk
Splunk Employee
Splunk Employee
‎12-12-2016 10:57 AM

Will the search command help you?

From Incident Review dashboard, click Job -> Inspect Job on the timeline chart
A new window opens. Click search.log link at the top
Text search for 'SearchParser - AFTER EXPANDING MACROS' and you will see the SPL search command there.
Copy the command and run it in the Search and you will see how these data computed

0 Karma
Reply

rpille_splunk
Splunk Employee
Splunk Employee
‎12-11-2016 08:57 AM

Documentation of the above can be found here: http://docs.splunk.com/Documentation/ES/4.5.1/User/NotableEvents#How_urgency_is_assigned_to_notable_...

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...