Splunk Enterprise Security

Is it possible to tag logs associated with the event_id when a notable event triggers?

nb1030
New Member

I looked around, but could not find anyone asking this question specifically. Basically, when a notable event triggers, it creates the event_id. Is it possible to tag all logs with that event_id that caused the notable event to fire?

Example: If I have a notable event that counts when an FQDN is seen in more than one log within 1hr, it triggers the alert. Let's say it saw the same FQDN in 5 logs within the hour. Is there anyway for those 5 logs then to be tagged with the event_id from the notable event?

I ask this for a few reasons:

1) Drill-down searches could be simplified.
2) I could setup a dashboard and email the notable event and the associated logs (by the event_id tag).
3) When performing "hunting", It would be nice to see logs that are already associated with an alert. Would help with correlation.
4) If a log is seen with multiple event_id's, it would help figure out what might be wrong with a notable event, that a notable event might need to be tuned, or locate notable events that fire on the same content.

0 Karma

starcher
SplunkTrust
SplunkTrust

No, that is not a feature and nor is there a way to retroactively go back and do that. The best way is to make the best drill down search on the ES Correlation search possible referencing the original index and sourcetype and values that triggered the alert. Good correlation searches will preserve the original index and sourcetype in orig_index and orig_sourcetype fields so they can be referenced.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@nb1030 - As far as I know tagging those event is not possible as tagging can be done based on host, source and sourcetype and that also to be done statically written on props.conf and transforms.conf. In this case, it would require dynamically. I'm wondering if someone has a workaround for your use-cases.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...