Hi All,
We notice a seemingly weird behaviour where modifying the notable severity in a correlation search brings up historic events to the "Incident Review" pane with the new severity.
We use Enterprise Security ver. 5.3.0
To explain further with a hypothetical scenario
Anyone faced this issue? Is this by design? Is there a solution to this?
I will take a stab -
Doing a search on `notable` - I don't see the severity field in the raw notable logs.
This lead me to believe that severity is probably in a lookup table somewhere.
I found a lookup table correlationsearches_lookup that I found the severity field is stored in. It would make sense that when you change the severity in content management, all notable events would be changed. as the Urgency would be derived from this severity.
For a solution see this:
https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned
You can manually calculate the severity in the SPL of the correlation search which according to that document:
"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."
So in your password violation scenario you could do something like (pseudo code):
eval rightNow=now() [get running time stamp]
eval severity=case(rightNow later than noon, "high", rightNow earlier than noon, "informational)
check below thread.
Thanks! @thambisetty appreciate the inputs
I will take a stab -
Doing a search on `notable` - I don't see the severity field in the raw notable logs.
This lead me to believe that severity is probably in a lookup table somewhere.
I found a lookup table correlationsearches_lookup that I found the severity field is stored in. It would make sense that when you change the severity in content management, all notable events would be changed. as the Urgency would be derived from this severity.
For a solution see this:
https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned
You can manually calculate the severity in the SPL of the correlation search which according to that document:
"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."
So in your password violation scenario you could do something like (pseudo code):
eval rightNow=now() [get running time stamp]
eval severity=case(rightNow later than noon, "high", rightNow earlier than noon, "informational)
Another solution may be to add this (or a macro) at the end of the rule to get the severity from the lookup based on the search name:
| lookup correlationsearches_lookup rule_name as $search_name$ OUTPUTNEW severity
Thanks @Jhunter appreciate the inputs
Ideas if any anyone? Kindly respond. Thanks!