Setting Multiple severity level for same Correlati...

Shradha_Venkata · ‎09-08-2017

Hi,

Is it possible to set two different severity level for same Correlation search.

For Eg
My search output list source that are communicating to blacklisted IPs
I have set the severity level as high in notable event of the search. But i want to include one more severity level as "informational" for few IPs.

Thanks

jstoner_splunk · ‎09-08-2017

Within the correlation search you may be able to use an eval command with something like a case statement to do this. However, if you have a list of IPs, I am hoping that there is a second column that has a descriptor like high severity ip and low severity ip. That way the case statement could look for one of the other and assign an urgency based on that value. I have not tested that, but something along those lines should work.

This example we forced an urgency in for reference: https://answers.splunk.com/answers/495073/splunk-enterprise-security-is-there-a-way-to-force.html#an...

Setting Multiple severity level for same Correlation search

Best of Community @.conf20
Humans That Splunk: Meet Abhishek...
Humans That Splunk: Meet Guiseppe...

Visit our Community Blog >

Setting Multiple severity level for same Correlation search

Best of Community @.conf20 Humans That Splunk: Meet Abhishek... Humans That Splunk: Meet Guiseppe... Visit our Community Blog >

Best of Community @.conf20
Humans That Splunk: Meet Abhishek...
Humans That Splunk: Meet Guiseppe...

Visit our Community Blog >