Hi,
Is it possible to set two different severity level for same Correlation search.
For Eg
My search output list source that are communicating to blacklisted IPs
I have set the severity level as high in notable event of the search. But i want to include one more severity level as "informational" for few IPs.
Thanks
Within the correlation search you may be able to use an eval
command with something like a case
statement to do this. However, if you have a list of IPs, I am hoping that there is a second column that has a descriptor like high severity ip and low severity ip. That way the case statement could look for one of the other and assign an urgency based on that value. I have not tested that, but something along those lines should work.
This example we forced an urgency in for reference: https://answers.splunk.com/answers/495073/splunk-enterprise-security-is-there-a-way-to-force.html#an...