Splunk Enterprise Security

Splunk Enterprise Security: How to generate a list of correlation searches showing severity ratings, risk scores, and status (enabled/disabled)?

sheamus69
Communicator

Hi,

This question relates to:
- Splunk Enterprise 6.4.1
- Splunk Enterprise Security 4.1.1

I am trying to generate a list of existing correlation searches which includes the following details:

  • Title
  • Description
  • Severity
  • Status (enabled / disabled)
  • Risk Object field (optional, but nice to have)
  • Risk Object Type
  • Risk Score

I have put together the following:

|rest /services/alerts/correlationsearches|rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=(if(disabled==1,"Disabled","Enabled")|table app security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status

This produces something like:

security_domain rule_title  csearch_name    description severity    csearch disabled    status
access  Account Deleted Access - Account Deleted - Rule Detects user and computer account deletion  medium  [search content here]   1   Disabled

Which gives me part of what I want, but I am unsure how to pull in the risk scores attached to the correlation search.

How does Splunk tie the risk scores into the correlation search, and how would I go about attaching it to the search?

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

The risk scores can be set within the search itself (like the threat activity detected search) or as an action as a result of the search matching the desired pattern. You can't pull the search-driven risk scores from REST, but you can pull the risk information from the action.risk.param.* settings. That should help you pull the scores out.

View solution in original post

miketinney
New Member

Since ES has been upgraded to 4.7, this excellent and useful search no longer works...

Any idea how to recreate in 4.7 ??

0 Karma

sheamus69
Communicator

Hi Mike,

The /services/alerts/correlationsearches file has efectively been merged with /services/saved/searches in Splunk ES 4.7.

Heres something I've quickly knocked together which appears to work:

|rest /services/saved/searches|search action.correlationsearch.enabled=1|rename eai:acl.app as Application, title as csearch_name, qualifiedSearch as csearch, action.notable.param.security_domain as security_domain, action.notable.param.severity as severity |eval status=if(disabled==1,Disabled,Enabled)|table security_domain   action.correlationsearch.enabled rule_title csearch_name description severity  csearch status action.risk.param._risk_object action.risk.param._risk_object_type action.risk.param._risk_score auto_summarize.cron_schedule actions

Any issues let me know.

0 Karma

fwump38
New Member

I just stumbled upon this answer and thought I'd add my own query for getting all of the correlation search metadata:

| localop 
| rest /services/alerts/correlationsearches  
| join id [| rest services/saved/searches | eval state=if(disabled=0,"Enabled","Disabled") | fields id state is_scheduled search actions alert.suppress.fields alert.suppress alert.suppress.period cron_schedule state dispatch.earliest_time dispatch.latest_time updated action.risk action.risk._risk_object action.risk._risk_object_type action.risk._risk_score eai:acl.app | replace */saved/searches* with */alerts/correlationsearches* in id] 
| search state="Enabled" 
| rex max_match=10 field=search "(?:datamodel(\s |=))(?<datamodels>[\w]+)"  
| rex max_match=10 field=search "(?:index(=))(?<indexes>[\w]+)" 
| join [| rest /services/server/info | fields splunk_server]
| eval throttling=if('alert.suppress'=1,"TRUE","FALSE") 
| eval "action.risk"=if('action.risk'=1,"TRUE","FALSE") 
| eval "action.notable"=mvfind(actions,"notable")
| eval "action.notable"=if('action.notable'=0,"TRUE","FALSE")
| nomv datamodels 
| nomv indexes 
| rename rule_name as "rule name" state as "rule state" kill_chain as "kill chain" "eai:acl.app" as "app" description as "objective" search as "rule logic" "dispatch.earliest_time" as "earliest" "dispatch.latest_time" as "latest" cron_schedule as "cron schedule" "alert.suppress.period" as "throttling period" "alert.suppress.fields" as "throttling fields" "action.notable" as "notable" rule_title as "notable title" rule_description as "notable description" severity as "severity" drilldown_search as "drilldown" drilldown_earliest_offset as "drilldown earliest" drilldown_latest_offset as "drilldown latest" "action.risk" as "risk" "action.risk._risk_score" as "risk modifier" "action.risk._risk_object" as "risk object" "action.risk._risk_object_type" as "risk type" 
| fillnull value=""  
| fields "rule name" "rule state" "kill chain" app objective "rule logic" earliest latest "cron schedule" throttling "throttling period" "throttling fields" notable "notable title" "notable description" severity drilldown "drilldown earliest" "drilldown latest" risk "risk modifier" "risk object" "risk type" datamodels indexes
| fields - _timediff
0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

The risk scores can be set within the search itself (like the threat activity detected search) or as an action as a result of the search matching the desired pattern. You can't pull the search-driven risk scores from REST, but you can pull the risk information from the action.risk.param.* settings. That should help you pull the scores out.

sheamus69
Communicator

Where are the action.risk.param.* held?

0 Karma

sheamus69
Communicator

Never mind - I was being dense 🙂

|rest /services/alerts/correlationsearches|rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled, action.risk.param.*]|eval status=(if(disabled==1,"Disabled","Enabled")|table app security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status, action.risk.param.*

worked fine for me.

Cheers for the assist.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...