Hi,
Splunk Enterprise 6.4.1
Splunk Enterprise Security 4.1.1
In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.
What conditions need to be met for this window to be generated as it's a very useful feature that I would like to exploit further?
Hi sheamus69,
In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.
Not every notable event depends on a single original event, which can be displayed in Incident Review. Think about a correlation search like "Excessive Failed Logins", which goes f.e. over a 1 hour time window and alerts if the number of failed logins per user/host is greater than #X. In this case, there is no "one original event" which can be displayed in your incident review that simplly, since multiple events are necessary to trigger the correlation search.
In addition to that (i think), there is a bytes-limit for events that are displayed in the preview. So it might be that you see some events in the IR straight away and other not if the original event is very long.
Greetings
So I'm expanding on excellent feedback provided by @hgrow for anyone looking to show the "Original Event" in their own correlations. I think some of the fields above are possibly based on an earlier release of ES. Specifically, I think the use of orig_splunk_server
was replaced with orig_indexer_guid
to work more consistently across index clustering.
The following information is based on my analysis of the embed Javascript logic in the Incident Review dashboard as of Enterprise Security 4.1.1.
To see the "Original Event" for a notable, both of the following conditions must be met:
orig_raw
field must be providedorig_event_hash
or orig_cd
must be provided.As for the search created by the "View original event" link (drill-down search), the following fields will be used (as provided) to build the search string:
orig_time
- Used in the base search as _time=VALUE
orig_index
- Use in the base search as index=VALUE
orig_indexer_guid
- Used in the filter search as index_guid=VALUE
orig_event_hash
- Used in the filter search as event_hash=VALUE
orig_cd
- Used in the filter search as _cd=VALUE
Note that in between the base search and the filtering search is the `get_event_id`
macro. Without this, the indexer_guid and event_hash fields are not available.
If you write your own correlation search, just make sure you provide the following fields in your search if possible:
orig_raw, orig_time, orig_cd and orig_splunk_server
These fields are necessary for the Original Event Preview to display the raw event and provide the "view original event" link.
Greetings
Hi sheamus69,
In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.
Not every notable event depends on a single original event, which can be displayed in Incident Review. Think about a correlation search like "Excessive Failed Logins", which goes f.e. over a 1 hour time window and alerts if the number of failed logins per user/host is greater than #X. In this case, there is no "one original event" which can be displayed in your incident review that simplly, since multiple events are necessary to trigger the correlation search.
In addition to that (i think), there is a bytes-limit for events that are displayed in the preview. So it might be that you see some events in the IR straight away and other not if the original event is very long.
Greetings
When you put it that way, it makes perfect sense - thanks for the explantion.
Hi @sheamus69
Glad you found a solution for your question! Please don't forget to resolve the post by clicking "Accept" directly below @hgrow's answer.
Cheers