Splunk Enterprise Security

Notable event title not containing the variable.

b_chris21
Communicator

Hello all,

I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES.

Facts:
1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:

 

index=suricata sourcetype=suricata event_type=alert alert.severity=2

 

2. In Adaptive Response Actions I added a Notable with the following custom settings:

Title: $signature$  (in order to output the Suricata Alert Signature Title)
Description: A medium severity alert ($signature_id$) was triggered on $src$

Notes:
- Search runs every 5minutes.
- I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created.

What is the problem:
- In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event.
- Description: is "unknown"

 

Notes:
- The Notable event is successfully created and it contains all variable fields (src, signature, signature_id).
- All fields are shown on Additional info on the notable, but the point is that variables do not show

Troubleshooting done so far:
- Deleted and recreated Corellation searches and Saved Searches
- Restarted Splunk
- Rebooted OS

Splunk Version: 6.2.2 (Distributed Environment)
Splunk ES: 6.6.0
Splunk CIM: 4.20.0

Any help would be appreciated.

Regards,

Chris

Tags (1)
0 Karma
1 Solution

b_chris21
Communicator

After digging a bit more, I have found the solution.

I have mistakenly disabled the "Threat - Correlation Searches - Lookup Gen" Report. Re-enabled and works like a charm.

 

View solution in original post

0 Karma

b_chris21
Communicator

After digging a bit more, I have found the solution.

I have mistakenly disabled the "Threat - Correlation Searches - Lookup Gen" Report. Re-enabled and works like a charm.

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...