Splunk Enterprise Security

Why does modifying notable severity in Splunk ES impact historic events as well?

vik_splunk
Communicator

Hi All,

We notice a seemingly weird behaviour where modifying the notable severity in a correlation search brings up historic events to the "Incident Review" pane with the new severity. 

We use Enterprise Security ver. 5.3.0

To explain further with a hypothetical scenario

  1. Let's say A use case like "password violation on a critical asset" with a notable of informational severity fire 5 times a day on an average.
  2. This noon, I change severity from informational to high
  3. Navigating to the incident review and choosing a time period to 30 days(for instance) brings back 30 days worth of notables for this use case but with a high! severity (which is not right)
  4. Ideally we expect the events to be split across two severities namely information until noon today and high for any events after

Anyone faced this issue? Is this by design? Is there a solution to this?

Labels (2)
Tags (2)
0 Karma
1 Solution

Jhunter
Explorer

I will take a stab - 

Doing a search on `notable` - I don't see the severity field in the raw notable logs. 

This lead me to believe that severity is probably in a lookup table somewhere. 

I found a lookup table correlationsearches_lookup that I found the severity field is stored in. It would make sense that when you change the severity in content management, all notable events would be changed. as the Urgency would be derived from this severity.

For a solution see this: 

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

 

You can manually calculate the severity in the SPL of the correlation search which according to that document: 


"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

So in your password violation scenario you could do something like (pseudo code):

eval rightNow=now()   [get running time stamp]

eval severity=case(rightNow later than noon, "high", rightNow earlier than noon, "informational)

 

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

check below thread.

 

https://community.splunk.com/t5/Splunk-Enterprise-Security/ES-notable-urgency-changing-for-old-notab...

————————————
If this helps, give a like below.
0 Karma

vik_splunk
Communicator

Thanks! @thambisetty  appreciate the inputs

0 Karma

Jhunter
Explorer

I will take a stab - 

Doing a search on `notable` - I don't see the severity field in the raw notable logs. 

This lead me to believe that severity is probably in a lookup table somewhere. 

I found a lookup table correlationsearches_lookup that I found the severity field is stored in. It would make sense that when you change the severity in content management, all notable events would be changed. as the Urgency would be derived from this severity.

For a solution see this: 

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

 

You can manually calculate the severity in the SPL of the correlation search which according to that document: 


"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

So in your password violation scenario you could do something like (pseudo code):

eval rightNow=now()   [get running time stamp]

eval severity=case(rightNow later than noon, "high", rightNow earlier than noon, "informational)

 

0 Karma

Laszlo_K
Explorer

Another solution may be to add this (or a macro) at the end of the rule to get the severity from the lookup based on the search name:

| lookup correlationsearches_lookup rule_name as $search_name$ OUTPUTNEW severity

 

0 Karma

vik_splunk
Communicator

Thanks @Jhunter  appreciate the inputs

0 Karma

vik_splunk
Communicator

Ideas if any anyone? Kindly respond. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...