I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_host, host_ip, etc from using the get_asset macro.
I know that the host field in the correlation search results is replaced with the orig_host field in the stored notable event, but why are the other host_* fields not included in the notable index, even as orig_host_* fields? How can I get them?
I can see that etc/apps/SA-ThreatIntelligence/default/log_review.conf mentions fields like orig_host_nt_host in the list of incident review attribute. Yet still no trace of that field in the notable index.
The best workaround I can think of so far is to rename host to dest early in the correlation search, because I know this will work. However, it is not a satisfying solution since in the context of my correlation search the host is not a source or a destination, it's just a host...
[notable_by_id(1)]
definition = get_notable_index
| eval get_event_id_meval
,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag)
| dedup rule_id | notable_xref_lookup
| get_correlations
| get_current_status
| get_owner
| get_urgency
| typer | tags outputfield=tag | mvappend_field(tag,orig_tag)
| suppression_extract
| risk_correlation
It is the "| fields - host_*" we dump them.
[notable_by_id(1)]
definition = get_notable_index
| eval get_event_id_meval
,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag)
| dedup rule_id | notable_xref_lookup
| get_correlations
| get_current_status
| get_owner
| get_urgency
| typer | tags outputfield=tag | mvappend_field(tag,orig_tag)
| suppression_extract
| risk_correlation
It is the "| fields - host_*" we dump them.
Hi @gabriel_vasseur
Are those assets present in the "asset and identity" lookup table that you are suppouse to manually fill?
Yes, the fields are populated when I run the search in the search bar, but they are not included in the notable event.
Try searching the index using the notable macro, rather than searching the index directly. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more details.
I downvoted this post because sorry, this doesn't help
Thanks for the link, unfortunately it doesn't help. Whether I search the notable index directly, with the macro, or use the Incident Review web UI, the fields I want are not there.