Splunk Enterprise Security

Splunk Enterprise Security : Variable substitution does not work for all fields?

gargantua
Loves-to-Learn Everything

Hi all,

 

I created a correlation search in SPlunk ES and added a Notable Event in the Adaptative Response Actions.

I'd like to include in the notable some information from the correlation search results, such as : orig_host, ip, and some other custom fields.

  • I went to Incident Review Settings in order to add my custome fields in the Event Attributes
  • I customized my correlation search query in order to name the returned fieds that are named according to the Event Attributes that already exist + the custom ones that I just created
  • In the correlation search, into the "Notable" sub-menu, I added the fields I'd like to enrich my Notable with to Identity Extraction and Asset Extraction


I then added a fiew variables in the title of the created Notable. Something like "the user $custom_field_1$ just connected to the account of the user $custom_field_2$, from the computer $orig_host$ that belongs to $orig_host_owner$.

custom_field_1 and $custom_field_2 variables work and return the right values.

orig_host, orig_host_owner don't and return the strings $orig_host$ and $orig_host_owner$.

I'm a bit confused.

Does anybody have had this before ?

 

Thanks for your kind help !

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...