Solved: Splunk query for use case onboarded

Sankar · ‎01-24-2025

we have 100+ use cases onboarded into splunk ES. also we are receiving the alerts few of them but i want to know exact count how many use cases onboarded into the splunk in that how many triggered the alerts?

much appreciated any one guide.

gcusello · ‎01-25-2025

Hi @Sankar ,

if you haven't Asset and Identity management you cannot define Priority but only urgency: use it in your reports.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎01-24-2025

Hi @Sankar,

Correlation Searches, in ES, write triggered alerts in the notable index.

You can see in this index and create a statistic for search_name:

index=notable
| stats count BY search_name

Ciao.

Giuseppe

Sankar · ‎01-24-2025

Thanks @gcusello

its working.

i want to filter each alert, based on Urgency like (High, Medium, Low, informational)

I tried below query but its not working.

| fields Title Urgency
| table Title Urgency

gcusello · ‎01-24-2025

Hi @Sankar ,

do you want to dispay urgency of each search or to filter results by urgency?

in the first case:

index=notable
| stats values(urgency) As urgency count BY search_name

in the second case (to have only notable with urgency=high):

index=notable urgency=high
| stats count BY search_name

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Sankar · ‎01-24-2025

Hi @gcusello

First case query its working. but urgency field i don't see any severity.
all alerts urgency field is empty only. but in the rule we set under Adaptive response actions--> notable -->severity value. (Ex High, Medium, Low, informational)

we have 40+ indexes so i want to each alert for Search Name, Index, Urgency, count.

hope you can able to share right info.

gcusello · ‎01-24-2025

Hi @Sankar ,

Urgency depends on Priority (from the Correlation Search) and priority (from the Asset/Identity).

Didi you defined Priority in Asset and Identity Management?

Ciao.

Giuseppe

Sankar · ‎01-24-2025

Hi @gcusello I understand your points. As a Splunk SME i have created the rules and urgency values has been set in correlation search.

but do we really need Asset/Identity management?
Ass/IM taking care by different teams.

I have enabled use cases & its triggered alerts also, only thing is we are unable to see Urgency Field values. what is the best practice to view urgency filed?

Thank you so much for responding my queries.

gcusello · ‎01-25-2025

Hi @Sankar ,

if you haven't Asset and Identity management you cannot define Priority but only urgency: use it in your reports.

Ciao.

Giuseppe

Sankar · ‎01-28-2025

Hi @gcusello

do we have any reference guide from splunk? or servicenow?

gcusello · ‎01-28-2025

Hi @Sankar ,

only training on ES:

you must define a search to extract assets and identities from AD logs or from Servicenow.

these items must be formatted (field names) using the names that you can find in assets and identities management in ES.

When you created this search, you can schedule it adding the information about priority (e.g. Domain Controllers have a critical Priority, pcs of CEO and managers have a critical priority, if you are an eCommerce company, payment services are critical and so on based on your Business Impact Analysis.

Ciao.

Giuseppe

Splunk query for use case onboarded

field extraction

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

Index This | How many sides does a circle have?