Splunk Enterprise Security

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

krhines410
New Member

I developed a search that is supposed to alert when a USB and executable is activated in order to see any malicious files are being uploaded onto a computer based on hostname.

My issue is.. when I developed the search and added it to triggered events, I chose the severity as High. But, when the event is triggered on Incident Review, it shows severity as low. On the Risk Analysis dashboard, it shows the searches as "adhoc unknown".

First off, can someone explain what AD HOC is?

Then, has anyone had an issue with the priority and severity conflicting each other resulting in giving the events a lower rating than anticipated?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

The severity you set when creating a correlation search is different from the urgency of a notable event, though they are related. See: http://docs.splunk.com/Documentation/ES/4.5.1/User/NotableEvents#How_urgency_is_assigned_to_notable_...
If you set a severity of "high" but the notable event urgency shows "low" that does seem strange, however.

I'm not sure what you mean by "On the Risk Analysis dashboard, it shows the searches as "adhoc unknown"."
Does the correlation search also add risk to an object (system or user) when the correlation search finds a match? Or are you clicking the risk score from a notable event on incident review and opening the risk analysis dashboard?

0 Karma

krhines410
New Member

Sorry possibly the risk analysis dashboard was created by my admin.

I viewed that document the other day but it didn't make sense to me. I have my triggered event as high but on the incident review it shows low. When I look at the lookup files for urgency it says that when the priority is unknown but the urgency is set to high then it will trigger a medium alert but in my case it is triggering a low alert.

We only made a triggered event to send an email and launch on the incident review dashboard. Our search doesn't touch on risk scores. I just so happened to see the Adhoc unknown triggering and when I opened it it had shown the same search I have been running so I was assuming that the events showed on the risk analysis stating unknown is causing the low alert on the incident review...

Its not really making sense unless the risk score priority is causing a negative effect to the high severity chosen on the drop down under the alert severity.. do they both have to be high for the incident review event to trigger as a high alert?

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Setting aside the risk piece for a moment, I wanted to see if you had a priority assigned for the asset that is associated with the event. The urgency is driven by the severity of the correlation search, which sounds like you have set to high, combined with the priority of the asset impacted. Priority is set in the same manner, unknown, info, medium, high, critical. If the priority is not set for the asset, is it possible this is what is driving the urgency? There is a matrix/lookup in Configure -> Data Enrichment -> List and Lookups called Urgency Levels. This can be edited to accommodate a specific organization's settings. By default, a high severity correlation search, combined with an unknown asset priority would equate to a medium urgency.

Hopefully this helps resolve the notable event / urgency piece.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...