Splunk Enterprise Security
Highlighted

Severity for Correlation search

Explorer

Hello Expert,
I have requirement to detect malware related events which should create notable event.
In this if action = allowed then it should be critical else it should be high
I have written below search for the same

| tstats summariesonly count from datamodel="Malware"."MalwareAttacks" by "MalwareAttacks.date" "MalwareAttacks.src" "MalwareAttacks.dest" "MalwareAttacks.user" "MalwareAttacks.destntdomain" "MalwareAttacks.url" "MalwareAttacks.event.DetectName" "MalwareAttacks.action" "MalwareAttacks.event.PatternDispositionDescription"
| drop_dm_object_name("Malware_Attacks")
| eval severity=if(like(action, "allowed"),"Critical","High")

If i run this search it gives me expected results but correlation search still creates notable events as per the priorities i guess. Because correlation search still creates notable event with high priority for action=allowed and medium for action!=allowed

Kindly suggest what actions needs to be taken

Thanks in Advance !!!

0 Karma
Highlighted

Re: Severity for Correlation search

Splunk Employee
Splunk Employee

I have a couple of thoughts that I will toss out there and we can see where it goes...

I will point you to this thread where someone was trying to do similar things and was able to force the urgency based on an eval statement. Not sure if this will solve your issue but wanted to provide it as a reference.
https://answers.splunk.com/answers/495073/splunk-enterprise-security-is-there-a-way-to-force.html#an...

A question I had around your example is that you are showing us a correlation search and with a few tweaks to accomodate the data model I have, it looks great! That said, once you have a severity, that needs to be paired with the assets priority to create that urgency in the notable event. I am wondering if the asset priorities are set appropriately to ensure that a critical versus a high maps out to the proper urgencies you want for the assets you are testing against. I would take a look at those assets you are running this against as well and see what that looks like too.
https://docs.splunk.com/Documentation/ES/5.2.0/User/Howurgencyisassigned

Hope this helps.
-john

0 Karma
Highlighted

Re: Severity for Correlation search

Explorer

Thanks for your reply John,
yes I looked at the thread which you have provided earlier, but in that case there is only one single urgency, where in this case I have to work with conditions to define 2 levels or urgency based on conditions which i have provided in above query.

I guess, my correlation search is working with below criteria as per the matrix

If asset priority is unknown or low and event severity is high, the event urgency is medium.
If asset priority is unknown or low and event severity is critical, the event urgency is high.

As suggested, I was looking into the logs but didn't find any priority related to asset or identity, so I am considering it as unknown which is default one

But again, document itself says that "Severity defined in the search syntax takes precedence over the severity defined in the notable event adaptive response action."

So i guess if i am specifying some conditions in my search itself then it should not go to urgency matrix further. Please correct me if i am wrong

I am running this query for crowdstrike data against Endpoints to get malware details

Thanks in Advance

0 Karma
Highlighted

Re: Severity for Correlation search

Explorer

Hi @jstoner_splunk
Did you get chance to look into this ?

0 Karma
Highlighted

Re: Severity for Correlation search

Splunk Employee
Splunk Employee

Sorry for the delay on my response...

The priority is set at the asset or identity lookup so if you wanted to set the priority to improve the output of what we refer to as the urgency that would be the place to do it. You won't find that value in the event logs, it will be in those context tables, ie lookups.

If we work under the assumption that the devices are both unknown priority for now, based on the default matrix you would get an urgency of medium for when the action is NOT allowed and an urgency of high when the action is allowed. I concur with your assessment.

You are also correct that severity as you have defined it in search takes precedence over the defined severity in the notable event.

Think of the notable event rating system as Urgency = Priority x Severity. Urgency is the end value we are going after. You have overridden the default notable severity by putting it in the search, but the calculation I put above to get an Urgency still plays out on every notable event created. So while you can override the severity as you have, it still needs to get mixed with the priority and if the priority isn't defined for the assets, that matrix will be outputting Med and High for the urgency as you called out above.

You can either factor our the priority by modifying the matrix or you can apply some priority to certain kinds of devices so that the analysts can perhaps quantify which notable they should prioritize which is the idea behind creating an urgency from a severity and a priority.

I hope this clears up things a bit.

0 Karma