Splunk Enterprise Security

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

krhines410
New Member

I developed a search that is supposed to alert when a USB and executable is activated in order to see any malicious files are being uploaded onto a computer based on hostname.

My issue is.. when I developed the search and added it to triggered events, I chose the severity as High. But, when the event is triggered on Incident Review, it shows severity as low. On the Risk Analysis dashboard, it shows the searches as "adhoc unknown".

First off, can someone explain what AD HOC is?

Then, has anyone had an issue with the priority and severity conflicting each other resulting in giving the events a lower rating than anticipated?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

The severity you set when creating a correlation search is different from the urgency of a notable event, though they are related. See: http://docs.splunk.com/Documentation/ES/4.5.1/User/NotableEvents#How_urgency_is_assigned_to_notable_...
If you set a severity of "high" but the notable event urgency shows "low" that does seem strange, however.

I'm not sure what you mean by "On the Risk Analysis dashboard, it shows the searches as "adhoc unknown"."
Does the correlation search also add risk to an object (system or user) when the correlation search finds a match? Or are you clicking the risk score from a notable event on incident review and opening the risk analysis dashboard?

0 Karma

krhines410
New Member

Sorry possibly the risk analysis dashboard was created by my admin.

I viewed that document the other day but it didn't make sense to me. I have my triggered event as high but on the incident review it shows low. When I look at the lookup files for urgency it says that when the priority is unknown but the urgency is set to high then it will trigger a medium alert but in my case it is triggering a low alert.

We only made a triggered event to send an email and launch on the incident review dashboard. Our search doesn't touch on risk scores. I just so happened to see the Adhoc unknown triggering and when I opened it it had shown the same search I have been running so I was assuming that the events showed on the risk analysis stating unknown is causing the low alert on the incident review...

Its not really making sense unless the risk score priority is causing a negative effect to the high severity chosen on the drop down under the alert severity.. do they both have to be high for the incident review event to trigger as a high alert?

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Setting aside the risk piece for a moment, I wanted to see if you had a priority assigned for the asset that is associated with the event. The urgency is driven by the severity of the correlation search, which sounds like you have set to high, combined with the priority of the asset impacted. Priority is set in the same manner, unknown, info, medium, high, critical. If the priority is not set for the asset, is it possible this is what is driving the urgency? There is a matrix/lookup in Configure -> Data Enrichment -> List and Lookups called Urgency Levels. This can be edited to accommodate a specific organization's settings. By default, a high severity correlation search, combined with an unknown asset priority would equate to a medium urgency.

Hopefully this helps resolve the notable event / urgency piece.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...