Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to tag logs associated with the event_id when a notable event triggers?

nb1030
New Member
‎06-08-2019 01:30 AM

I looked around, but could not find anyone asking this question specifically. Basically, when a notable event triggers, it creates the event_id. Is it possible to tag all logs with that event_id that caused the notable event to fire?

Example: If I have a notable event that counts when an FQDN is seen in more than one log within 1hr, it triggers the alert. Let's say it saw the same FQDN in 5 logs within the hour. Is there anyway for those 5 logs then to be tagged with the event_id from the notable event?

I ask this for a few reasons:

1) Drill-down searches could be simplified.
2) I could setup a dashboard and email the notable event and the associated logs (by the event_id tag).
3) When performing "hunting", It would be nice to see logs that are already associated with an alert. Would help with correlation.
4) If a log is seen with multiple event_id's, it would help figure out what might be wrong with a notable event, that a notable event might need to be tuned, or locate notable events that fire on the same content.

0 Karma
Reply

starcher
Influencer
‎06-11-2019 04:46 AM

No, that is not a feature and nor is there a way to retroactively go back and do that. The best way is to make the best drill down search on the ES Correlation search possible referencing the original index and sourcetype and values that triggered the alert. Good correlation searches will preserve the original index and sourcetype in orig_index and orig_sourcetype fields so they can be referenced.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-08-2019 11:49 PM

@nb1030 - As far as I know tagging those event is not possible as tagging can be done based on host, source and sourcetype and that also to be done statically written on props.conf and transforms.conf. In this case, it would require dynamically. I'm wondering if someone has a workaround for your use-cases.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...