- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: How can I configure a Correlation Search to add risk to 2 objects?
Hi,
How can I configure a Correlation Search in ES to add risk to 2 objects (src & dest)? I can only configure a Adaptive Response Action once from the drop down menu.
Savedsearches.conf shows the following:
action.risk = 1
action.risk.param._risk_object = src
action.risk.param._risk_object_type = system
action.risk.param._risk_score = 60
action.risk.param.verbose = 0
action.risk = 1 just means this is enabled. I can't add a second set of paramaters with action.risk = 2 for a second instance of that action right? At least it did not work for me when i tried it.
Regards
Chris
Splunk Version: 6.6.3
ES Version: 4.7.4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/b5db7/b5db78eeb9daab00135c6d47ba91f077bf0ea8c0" alt="smoir_splunk smoir_splunk"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Sorry @chris, it isn't possible today to run multiple adaptive response actions of the same type on different fields.
For your specific example, you can add risk to dest by modifying the search syntax of the correlation search. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD for examples using |sendalert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like I was too quick accepting your answer. The risk is added if I do a manual search, but the correlation search does not generate a notable event anymore if I add | localop
| eval risk_object=user | sendalert risk param._risk_object_type="user" param._risk_score=60 | rename risk_object as myrisk_object I tried with and without the localop command. Any Ideas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added the | rename risk_object as myrisk_object to test if the field was somehow relevant it does not make a difference if it is in place or not
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This ist the error I see in the search.log if I go the job inspector:
11-30-2017 14:40:06.168 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'sendalert' command: Alert script returned error code 3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works, thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9dd94/9dd94b2e112752e754d596f78e5ce328b89fc899" alt="woodcock woodcock"
What works? You replied to yourself saying that it doesn't work????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/379cb/379cb614a70ac5639421d493d948b8c26b85ecf1" alt="starcher starcher"
A number of us have a feature request in to support GUI multiple occurrences of the same adaptive response in a correlation search. But its a road map kind of thing since it requires the ES developers to rework a lot of code.
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""