Splunk Enterprise Security

Splunk Enterprise Security: What happens to host_* fields in notable events?

gabriel_vasseur
Contributor

I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_host, host_ip, etc from using the get_asset macro.

I know that the host field in the correlation search results is replaced with the orig_host field in the stored notable event, but why are the other host_* fields not included in the notable index, even as orig_host_* fields? How can I get them?

I can see that etc/apps/SA-ThreatIntelligence/default/log_review.conf mentions fields like orig_host_nt_host in the list of incident review attribute. Yet still no trace of that field in the notable index.

The best workaround I can think of so far is to rename host to dest early in the correlation search, because I know this will work. However, it is not a satisfying solution since in the context of my correlation search the host is not a source or a destination, it's just a host...

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

jwelch_splunk
Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

alemarzu
Motivator

Hi @gabriel_vasseur
Are those assets present in the "asset and identity" lookup table that you are suppouse to manually fill?

0 Karma

gabriel_vasseur
Contributor

Yes, the fields are populated when I run the search in the search bar, but they are not included in the notable event.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Try searching the index using the notable macro, rather than searching the index directly. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more details.

gabriel_vasseur
Contributor

I downvoted this post because sorry, this doesn't help

0 Karma

gabriel_vasseur
Contributor

Thanks for the link, unfortunately it doesn't help. Whether I search the notable index directly, with the macro, or use the Incident Review web UI, the fields I want are not there.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...