Splunk Enterprise Security

Splunk Enterprise Security : Variable substitution does not work for all fields?

gargantua
Loves-to-Learn Everything

Hi all,

 

I created a correlation search in SPlunk ES and added a Notable Event in the Adaptative Response Actions.

I'd like to include in the notable some information from the correlation search results, such as : orig_host, ip, and some other custom fields.

  • I went to Incident Review Settings in order to add my custome fields in the Event Attributes
  • I customized my correlation search query in order to name the returned fieds that are named according to the Event Attributes that already exist + the custom ones that I just created
  • In the correlation search, into the "Notable" sub-menu, I added the fields I'd like to enrich my Notable with to Identity Extraction and Asset Extraction


I then added a fiew variables in the title of the created Notable. Something like "the user $custom_field_1$ just connected to the account of the user $custom_field_2$, from the computer $orig_host$ that belongs to $orig_host_owner$.

custom_field_1 and $custom_field_2 variables work and return the right values.

orig_host, orig_host_owner don't and return the strings $orig_host$ and $orig_host_owner$.

I'm a bit confused.

Does anybody have had this before ?

 

Thanks for your kind help !

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...