I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES.
Facts: 1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:
2. In Adaptive Response Actions I added a Notable with the following custom settings:
Title: $signature$ (in order to output the Suricata Alert Signature Title) Description: A medium severity alert ($signature_id$) was triggered on $src$
Notes: - Search runs every 5minutes. - I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created.
What is the problem: - In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event. - Description: is "unknown"
Notes: - The Notable event is successfully created and it contains all variable fields (src, signature, signature_id). - All fields are shown on Additional info on the notable, but the point is that variables do not show
Troubleshooting done so far: - Deleted and recreated Corellation searches and Saved Searches - Restarted Splunk - Rebooted OS