Splunk Enterprise Security

Splunk Enterprise Security: What happens to host_* fields in notable events?

Contributor

I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_host, host_ip, etc from using the get_asset macro.

I know that the host field in the correlation search results is replaced with the orig_host field in the stored notable event, but why are the other host_* fields not included in the notable index, even as orig_host_* fields? How can I get them?

I can see that etc/apps/SA-ThreatIntelligence/default/log_review.conf mentions fields like orig_host_nt_host in the list of incident review attribute. Yet still no trace of that field in the notable index.

The best workaround I can think of so far is to rename host to dest early in the correlation search, because I know this will work. However, it is not a satisfying solution since in the context of my correlation search the host is not a source or a destination, it's just a host...

0 Karma
1 Solution

Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

Splunk Employee
Splunk Employee

[notable_by_id(1)]

definition = get_notable_index | eval get_event_id_meval,rule_id=event_id | search event_id="$event_id$" | fields - host_* | tags outputfield=tag | mvappend_field(tag,orig_tag) | dedup rule_id | notable_xref_lookup | get_correlations | get_current_status | get_owner | get_urgency | typer | tags outputfield=tag | mvappend_field(tag,orig_tag) | suppression_extract | risk_correlation

It is the "| fields - host_*" we dump them.

View solution in original post

Motivator

Hi @gabriel_vasseur
Are those assets present in the "asset and identity" lookup table that you are suppouse to manually fill?

0 Karma

Contributor

Yes, the fields are populated when I run the search in the search bar, but they are not included in the notable event.

0 Karma

Splunk Employee
Splunk Employee

Try searching the index using the notable macro, rather than searching the index directly. See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more details.

Contributor

I downvoted this post because sorry, this doesn't help

0 Karma

Contributor

Thanks for the link, unfortunately it doesn't help. Whether I search the notable index directly, with the macro, or use the Incident Review web UI, the fields I want are not there.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!