Splunk Enterprise Security

Notable event title not containing the variable.

b_chris21
Communicator

Hello all,

I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES.

Facts:
1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:

 

index=suricata sourcetype=suricata event_type=alert alert.severity=2

 

2. In Adaptive Response Actions I added a Notable with the following custom settings:

Title: $signature$  (in order to output the Suricata Alert Signature Title)
Description: A medium severity alert ($signature_id$) was triggered on $src$

Notes:
- Search runs every 5minutes.
- I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created.

What is the problem:
- In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event.
- Description: is "unknown"

 

Notes:
- The Notable event is successfully created and it contains all variable fields (src, signature, signature_id).
- All fields are shown on Additional info on the notable, but the point is that variables do not show

Troubleshooting done so far:
- Deleted and recreated Corellation searches and Saved Searches
- Restarted Splunk
- Rebooted OS

Splunk Version: 6.2.2 (Distributed Environment)
Splunk ES: 6.6.0
Splunk CIM: 4.20.0

Any help would be appreciated.

Regards,

Chris

Tags (1)
0 Karma
1 Solution

b_chris21
Communicator

After digging a bit more, I have found the solution.

I have mistakenly disabled the "Threat - Correlation Searches - Lookup Gen" Report. Re-enabled and works like a charm.

 

View solution in original post

0 Karma

b_chris21
Communicator

After digging a bit more, I have found the solution.

I have mistakenly disabled the "Threat - Correlation Searches - Lookup Gen" Report. Re-enabled and works like a charm.

 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...