This question relates to:
- Splunk Enterprise 6.4.1
- Splunk Enterprise Security 4.1.1
I am trying to generate a list of existing correlation searches which includes the following details:
I have put together the following:
|rest /services/alerts/correlationsearches|rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=(if(disabled==1,"Disabled","Enabled")|table app security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status
This produces something like:
security_domain rule_title csearch_name description severity csearch disabled status access Account Deleted Access - Account Deleted - Rule Detects user and computer account deletion medium [search content here] 1 Disabled
Which gives me part of what I want, but I am unsure how to pull in the risk scores attached to the correlation search.
How does Splunk tie the risk scores into the correlation search, and how would I go about attaching it to the search?
The risk scores can be set within the search itself (like the threat activity detected search) or as an action as a result of the search matching the desired pattern. You can't pull the search-driven risk scores from REST, but you can pull the risk information from the
action.risk.param.* settings. That should help you pull the scores out.
Where are the
Never mind - I was being dense 🙂
|rest /services/alerts/correlationsearches|rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled, action.risk.param.*]|eval status=(if(disabled==1,"Disabled","Enabled")|table app security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status, action.risk.param.*
worked fine for me.
Cheers for the assist.
I just stumbled upon this answer and thought I'd add my own query for getting all of the correlation search metadata:
| localop | rest /services/alerts/correlationsearches | join id [| rest services/saved/searches | eval state=if(disabled=0,"Enabled","Disabled") | fields id state is_scheduled search actions alert.suppress.fields alert.suppress alert.suppress.period cron_schedule state dispatch.earliest_time dispatch.latest_time updated action.risk action.risk._risk_object action.risk._risk_object_type action.risk._risk_score eai:acl.app | replace */saved/searches* with */alerts/correlationsearches* in id] | search state="Enabled" | rex max_match=10 field=search "(?:datamodel(\s |=))(?<datamodels>[\w]+)" | rex max_match=10 field=search "(?:index(=))(?<indexes>[\w]+)" | join [| rest /services/server/info | fields splunk_server] | eval throttling=if('alert.suppress'=1,"TRUE","FALSE") | eval "action.risk"=if('action.risk'=1,"TRUE","FALSE") | eval "action.notable"=mvfind(actions,"notable") | eval "action.notable"=if('action.notable'=0,"TRUE","FALSE") | nomv datamodels | nomv indexes | rename rule_name as "rule name" state as "rule state" kill_chain as "kill chain" "eai:acl.app" as "app" description as "objective" search as "rule logic" "dispatch.earliest_time" as "earliest" "dispatch.latest_time" as "latest" cron_schedule as "cron schedule" "alert.suppress.period" as "throttling period" "alert.suppress.fields" as "throttling fields" "action.notable" as "notable" rule_title as "notable title" rule_description as "notable description" severity as "severity" drilldown_search as "drilldown" drilldown_earliest_offset as "drilldown earliest" drilldown_latest_offset as "drilldown latest" "action.risk" as "risk" "action.risk._risk_score" as "risk modifier" "action.risk._risk_object" as "risk object" "action.risk._risk_object_type" as "risk type" | fillnull value="" | fields "rule name" "rule state" "kill chain" app objective "rule logic" earliest latest "cron schedule" throttling "throttling period" "throttling fields" notable "notable title" "notable description" severity drilldown "drilldown earliest" "drilldown latest" risk "risk modifier" "risk object" "risk type" datamodels indexes | fields - _timediff
Since ES has been upgraded to 4.7, this excellent and useful search no longer works...
Any idea how to recreate in 4.7 ??
The /services/alerts/correlationsearches file has efectively been merged with /services/saved/searches in Splunk ES 4.7.
Heres something I've quickly knocked together which appears to work:
|rest /services/saved/searches|search action.correlationsearch.enabled=1|rename eai:acl.app as Application, title as csearch_name, qualifiedSearch as csearch, action.notable.param.security_domain as security_domain, action.notable.param.severity as severity |eval status=if(disabled==1,Disabled,Enabled)|table security_domain action.correlationsearch.enabled rule_title csearch_name description severity csearch status action.risk.param._risk_object action.risk.param._risk_object_type action.risk.param._risk_score auto_summarize.cron_schedule actions
Any issues let me know.