Splunk Enterprise Security

Notable event title not containing the variable.

b_chris21
Path Finder

Hello all,

I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES.

Facts:
1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:

 

index=suricata sourcetype=suricata event_type=alert alert.severity=2

 

2. In Adaptive Response Actions I added a Notable with the following custom settings:

Title: $signature$  (in order to output the Suricata Alert Signature Title)
Description: A medium severity alert ($signature_id$) was triggered on $src$

Notes:
- Search runs every 5minutes.
- I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created.

What is the problem:
- In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event.
- Description: is "unknown"

 

Notes:
- The Notable event is successfully created and it contains all variable fields (src, signature, signature_id).
- All fields are shown on Additional info on the notable, but the point is that variables do not show

Troubleshooting done so far:
- Deleted and recreated Corellation searches and Saved Searches
- Restarted Splunk
- Rebooted OS

Splunk Version: 6.2.2 (Distributed Environment)
Splunk ES: 6.6.0
Splunk CIM: 4.20.0

Any help would be appreciated.

Regards,

Chris

Tags (1)
0 Karma
1 Solution

b_chris21
Path Finder

After digging a bit more, I have found the solution.

I have mistakenly disabled the "Threat - Correlation Searches - Lookup Gen" Report. Re-enabled and works like a charm.

 

View solution in original post

0 Karma

b_chris21
Path Finder

After digging a bit more, I have found the solution.

I have mistakenly disabled the "Threat - Correlation Searches - Lookup Gen" Report. Re-enabled and works like a charm.

 

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!