Solved: How to set Urgency in a correlation search based o...

stefan1988 · ‎12-28-2016

The urgency in a correlation search is calculated by the corr. search severity + the asset/identity priority.

Is it possible to calculate the urgency based on the count of failures?

I'm Using Enterprise Security 4.5.1 and I saw you can set Risk Modifiers under "Add New Response Action", but I couldn't find any option to set the urgency based on a field value (i.e. a count of failures).

Many thanks.

Kind regards,
Stefan

smoir_splunk · ‎01-03-2017

You'd want to change the severity of the correlation search according to the number of failures.

For example, you could append something like this to the end of the correlation search

 | eval severity=case(failure>100,"critical",failure>50,"high",...

Then the urgency calculations will take that severity into account, and be adjusted accordingly.

View solution in original post

smoir_splunk · ‎01-03-2017

You'd want to change the severity of the correlation search according to the number of failures.

For example, you could append something like this to the end of the correlation search

 | eval severity=case(failure>100,"critical",failure>50,"high",...

Then the urgency calculations will take that severity into account, and be adjusted accordingly.

How to set Urgency in a correlation search based on failure count?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?