Splunk Enterprise Security

Splunk Enterprise Security: What conditions need to be met to generate an Original Event Window in Incident Review?

Communicator

Hi,

Splunk Enterprise 6.4.1
Splunk Enterprise Security 4.1.1

In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.

What conditions need to be met for this window to be generated as it's a very useful feature that I would like to exploit further?

1 Solution

Communicator

Hi sheamus69,

In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.

Not every notable event depends on a single original event, which can be displayed in Incident Review. Think about a correlation search like "Excessive Failed Logins", which goes f.e. over a 1 hour time window and alerts if the number of failed logins per user/host is greater than #X. In this case, there is no "one original event" which can be displayed in your incident review that simplly, since multiple events are necessary to trigger the correlation search.

In addition to that (i think), there is a bytes-limit for events that are displayed in the preview. So it might be that you see some events in the IR straight away and other not if the original event is very long.

Greetings

View solution in original post

Super Champion

So I'm expanding on excellent feedback provided by @hgrow for anyone looking to show the "Original Event" in their own correlations. I think some of the fields above are possibly based on an earlier release of ES. Specifically, I think the use of orig_splunk_server was replaced with orig_indexer_guid to work more consistently across index clustering.

The following information is based on my analysis of the embed Javascript logic in the Incident Review dashboard as of Enterprise Security 4.1.1.

To see the "Original Event" for a notable, both of the following conditions must be met:

  1. The orig_raw field must be provided
  2. Either orig_event_hash or orig_cd must be provided.

As for the search created by the "View original event" link (drill-down search), the following fields will be used (as provided) to build the search string:

  1. orig_time - Used in the base search as _time=VALUE
  2. orig_index - Use in the base search as index=VALUE
  3. orig_indexer_guid - Used in the filter search as index_guid=VALUE
  4. orig_event_hash- Used in the filter search as event_hash=VALUE
  5. orig_cd- Used in the filter search as _cd=VALUE

Note that in between the base search and the filtering search is the `get_event_id` macro. Without this, the indexerguid and eventhash fields are not available.

Communicator

If you write your own correlation search, just make sure you provide the following fields in your search if possible:

orig_raw, orig_time, orig_cd and origsplunkserver

These fields are necessary for the Original Event Preview to display the raw event and provide the "view original event" link.

Greetings

Communicator

Hi sheamus69,

In incident review, some of my notable events have an original event window which helpfully provides raw details of the event that triggered the notable. Other notables don't seem to have this window.

Not every notable event depends on a single original event, which can be displayed in Incident Review. Think about a correlation search like "Excessive Failed Logins", which goes f.e. over a 1 hour time window and alerts if the number of failed logins per user/host is greater than #X. In this case, there is no "one original event" which can be displayed in your incident review that simplly, since multiple events are necessary to trigger the correlation search.

In addition to that (i think), there is a bytes-limit for events that are displayed in the preview. So it might be that you see some events in the IR straight away and other not if the original event is very long.

Greetings

View solution in original post

Communicator

When you put it that way, it makes perfect sense - thanks for the explantion.

0 Karma

Community Manager
Community Manager

Hi @sheamus69

Glad you found a solution for your question! Please don't forget to resolve the post by clicking "Accept" directly below @hgrow's answer.

Cheers

0 Karma