Splunk Enterprise Security

Setting Multiple severity level for same Correlation search

Shradha_Venkata
New Member

Hi,

Is it possible to set two different severity level for same Correlation search.

For Eg
My search output list source that are communicating to blacklisted IPs
I have set the severity level as high in notable event of the search. But i want to include one more severity level as "informational" for few IPs.

Thanks

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Within the correlation search you may be able to use an eval command with something like a case statement to do this. However, if you have a list of IPs, I am hoping that there is a second column that has a descriptor like high severity ip and low severity ip. That way the case statement could look for one of the other and assign an urgency based on that value. I have not tested that, but something along those lines should work.

This example we forced an urgency in for reference: https://answers.splunk.com/answers/495073/splunk-enterprise-security-is-there-a-way-to-force.html#an...

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...