Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

New Member

I developed a search that is supposed to alert when a USB and executable is activated in order to see any malicious files are being uploaded onto a computer based on hostname.

My issue is.. when I developed the search and added it to triggered events, I chose the severity as High. But, when the event is triggered on Incident Review, it shows severity as low. On the Risk Analysis dashboard, it shows the searches as "adhoc unknown".

First off, can someone explain what AD HOC is?

Then, has anyone had an issue with the priority and severity conflicting each other resulting in giving the events a lower rating than anticipated?

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

Splunk Employee
Splunk Employee

The severity you set when creating a correlation search is different from the urgency of a notable event, though they are related. See: http://docs.splunk.com/Documentation/ES/4.5.1/User/NotableEvents#How_urgency_is_assigned_to_notable_...
If you set a severity of "high" but the notable event urgency shows "low" that does seem strange, however.

I'm not sure what you mean by "On the Risk Analysis dashboard, it shows the searches as "adhoc unknown"."
Does the correlation search also add risk to an object (system or user) when the correlation search finds a match? Or are you clicking the risk score from a notable event on incident review and opening the risk analysis dashboard?

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

New Member

Sorry possibly the risk analysis dashboard was created by my admin.

I viewed that document the other day but it didn't make sense to me. I have my triggered event as high but on the incident review it shows low. When I look at the lookup files for urgency it says that when the priority is unknown but the urgency is set to high then it will trigger a medium alert but in my case it is triggering a low alert.

We only made a triggered event to send an email and launch on the incident review dashboard. Our search doesn't touch on risk scores. I just so happened to see the Adhoc unknown triggering and when I opened it it had shown the same search I have been running so I was assuming that the events showed on the risk analysis stating unknown is causing the low alert on the incident review...

Its not really making sense unless the risk score priority is causing a negative effect to the high severity chosen on the drop down under the alert severity.. do they both have to be high for the incident review event to trigger as a high alert?

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

Splunk Employee
Splunk Employee

Setting aside the risk piece for a moment, I wanted to see if you had a priority assigned for the asset that is associated with the event. The urgency is driven by the severity of the correlation search, which sounds like you have set to high, combined with the priority of the asset impacted. Priority is set in the same manner, unknown, info, medium, high, critical. If the priority is not set for the asset, is it possible this is what is driving the urgency? There is a matrix/lookup in Configure -> Data Enrichment -> List and Lookups called Urgency Levels. This can be edited to accommodate a specific organization's settings. By default, a high severity correlation search, combined with an unknown asset priority would equate to a medium urgency.

Hopefully this helps resolve the notable event / urgency piece.