Splunk Enterprise Security

Splunk Enterprise Security: What happens to host_* fields in notable events?

gabriel_vasseur
Contributor

I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_host, host_ip, etc from using the get_asset macro.

I know that the host field in the correlation search results is replaced with the orig_host field in the stored notable event, but why are the other host_* fields not included in the notable index, even as orig_host_* fields? How can I get them?

I can see that etc/apps/SA-ThreatIntelligence/default/log_review.conf mentions fields like orig_host_nt_host in the list of incident review attribute. Yet still no trace of that field in the notable index.

The best workaround I can think of so far is to rename host to dest early in the correlation search, because I know this will work. However, it is not a satisfying solution since in the context of my correlation search the host is not a source or a destination, it's just a host...

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

alemarzu
Motivator

Hi @gabriel_vasseur
Are those assets present in the "asset and identity" lookup table that you are suppouse to manually fill?

0 Karma

gabriel_vasseur
Contributor

Yes, the fields are populated when I run the search in the search bar, but they are not included in the notable event.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Try searching the index using the notable macro, rather than searching the index directly. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more details.

gabriel_vasseur
Contributor

I downvoted this post because sorry, this doesn't help

0 Karma

gabriel_vasseur
Contributor

Thanks for the link, unfortunately it doesn't help. Whether I search the notable index directly, with the macro, or use the Incident Review web UI, the fields I want are not there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...