Splunk Enterprise Security

Splunk Enterprise Security Notable Event Title Not Working

mpham07
Path Finder

Hello all,

I'm currently stumped in trying to figure out why my notable event token is not working. I verified the field that the token uses exist in the correlation search result (example below).

 | stats dc("dest") AS host_count

alt text

Notable Event Title:

on $host_count$ hosts.

The token for some reason doesn't expand and output the number 13...

Can you guys help in figuring this out? Thank you for your time.

0 Karma

memarshall63
Communicator

When you see the incident in Incident Review -- Have you ever looked at the 'notable' drill down?

This will drill down to the raw event in the notables index. Check to make sure your field is there.

Sometimes field names get manipulated in the notable so they don't collide with the fields in the notable index.

0 Karma

memarshall63
Communicator

Notable link is on Lower right... under Adaptive Responses..

0 Karma

mpham07
Path Finder

Hi @memarshall63,

Thanks for the quick response. This correlation search isn't using a datamodel or tstats and we're just searching against a custom index (old searches previously made by someone else...)

So I verified the drill down search has the same field. I've been ripping my hair out trying different stuff to get it to work but no luck ;__; It's not a big deal but it bugs the heck outta me.

0 Karma

memarshall63
Communicator

So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search?

If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache?

0 Karma

mpham07
Path Finder

I cleared my browser cache and history but no luck.

There are two tokens used in the Notable Event title, it's just the host_count field doesn't work for some reason. Initially I didn't use the host_count in the drill down search title, but I just tested it just now and that also doesn't work for some reason. I only pass the working token to the actual drill down search and title and that works fine.

The issue just seems to be the host_count field.

0 Karma

memarshall63
Communicator

hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory.

I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it.

0 Karma

mpham07
Path Finder

So the correlation search looks like this:

index=test sourcetype="example" | stats dc(dest) AS host_count, values("dest") AS host_name, values("match_hash") AS hash, values("path") AS file_path by "intel_name"

So it outputs a table like this:
intel_name | host_count | host_name | hash | file_path

All of the fields are in the notable index when I checked. I used the hash field token just fine in the notable event title - not sure what's going on...

0 Karma

memarshall63
Communicator

Does your resulting table only have a single row in it? Or are there multiple rows?

dc returns a single value, but I think values returns a multi-value field.
I'm just shooting in the dark at this point but maybe:

Change dc(dest) AS host count -> values(dest) AS host count
Swap the field names -> dc(dest) AS hash values("match_hash") as host_count
Remove the "by "intel_name".
I did notice that you seem to be quoting the other fields, but not dc(dest)?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...