Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: What conditions need to be met to generate an Original Event Window in Incident Review?

sheamus69
Communicator
‎06-24-2016 02:17 AM

Hi,

Splunk Enterprise 6.4.1
Splunk Enterprise Security 4.1.1

In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.

What conditions need to be met for this window to be generated as it's a very useful feature that I would like to exploit further?

Reply
1 Solution
Solved! Jump to solution
Solution

hgrow
Communicator
‎06-24-2016 08:41 AM

Hi sheamus69,

In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.

Not every notable event depends on a single original event, which can be displayed in Incident Review. Think about a correlation search like "Excessive Failed Logins", which goes f.e. over a 1 hour time window and alerts if the number of failed logins per user/host is greater than #X. In this case, there is no "one original event" which can be displayed in your incident review that simplly, since multiple events are necessary to trigger the correlation search.

In addition to that (i think), there is a bytes-limit for events that are displayed in the preview. So it might be that you see some events in the IR straight away and other not if the original event is very long.

Greetings

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎11-10-2016 07:36 AM

So I'm expanding on excellent feedback provided by @hgrow for anyone looking to show the "Original Event" in their own correlations. I think some of the fields above are possibly based on an earlier release of ES. Specifically, I think the use of orig_splunk_server was replaced with orig_indexer_guid to work more consistently across index clustering.

The following information is based on my analysis of the embed Javascript logic in the Incident Review dashboard as of Enterprise Security 4.1.1.

To see the "Original Event" for a notable, both of the following conditions must be met:

  1. The orig_raw field must be provided
  2. Either orig_event_hash or orig_cd must be provided.

As for the search created by the "View original event" link (drill-down search), the following fields will be used (as provided) to build the search string:

  1. orig_time - Used in the base search as _time=VALUE
  2. orig_index - Use in the base search as index=VALUE
  3. orig_indexer_guid - Used in the filter search as index_guid=VALUE
  4. orig_event_hash- Used in the filter search as event_hash=VALUE
  5. orig_cd- Used in the filter search as _cd=VALUE

Note that in between the base search and the filtering search is the `get_event_id` macro. Without this, the indexer_guid and event_hash fields are not available.

Reply
Solved! Jump to solution

hgrow
Communicator
‎06-27-2016 02:44 AM

If you write your own correlation search, just make sure you provide the following fields in your search if possible:

orig_raw, orig_time, orig_cd and orig_splunk_server

These fields are necessary for the Original Event Preview to display the raw event and provide the "view original event" link.

Greetings

Reply
Solved! Jump to solution
Solution

hgrow
Communicator
‎06-24-2016 08:41 AM

Hi sheamus69,

In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.

Not every notable event depends on a single original event, which can be displayed in Incident Review. Think about a correlation search like "Excessive Failed Logins", which goes f.e. over a 1 hour time window and alerts if the number of failed logins per user/host is greater than #X. In this case, there is no "one original event" which can be displayed in your incident review that simplly, since multiple events are necessary to trigger the correlation search.

In addition to that (i think), there is a bytes-limit for events that are displayed in the preview. So it might be that you see some events in the IR straight away and other not if the original event is very long.

Greetings

Reply
Solved! Jump to solution

sheamus69
Communicator
‎06-27-2016 01:52 AM

When you put it that way, it makes perfect sense - thanks for the explantion.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎06-28-2016 12:21 PM

Hi @sheamus69

Glad you found a solution for your question! Please don't forget to resolve the post by clicking "Accept" directly below @hgrow's answer.

Cheers

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...