Splunk Enterprise Security

Splunk Enterprise Security: What happens to host_* fields in notable events?

gabriel_vasseur
Contributor

I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_host, host_ip, etc from using the get_asset macro.

I know that the host field in the correlation search results is replaced with the orig_host field in the stored notable event, but why are the other host_* fields not included in the notable index, even as orig_host_* fields? How can I get them?

I can see that etc/apps/SA-ThreatIntelligence/default/log_review.conf mentions fields like orig_host_nt_host in the list of incident review attribute. Yet still no trace of that field in the notable index.

The best workaround I can think of so far is to rename host to dest early in the correlation search, because I know this will work. However, it is not a satisfying solution since in the context of my correlation search the host is not a source or a destination, it's just a host...

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

alemarzu
Motivator

Hi @gabriel_vasseur
Are those assets present in the "asset and identity" lookup table that you are suppouse to manually fill?

0 Karma

gabriel_vasseur
Contributor

Yes, the fields are populated when I run the search in the search bar, but they are not included in the notable event.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Try searching the index using the notable macro, rather than searching the index directly. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more details.

gabriel_vasseur
Contributor

I downvoted this post because sorry, this doesn't help

0 Karma

gabriel_vasseur
Contributor

Thanks for the link, unfortunately it doesn't help. Whether I search the notable index directly, with the macro, or use the Incident Review web UI, the fields I want are not there.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.