Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does modifying notable severity in Splunk ES impact historic events as well?

vik_splunk
Communicator
‎07-24-2020 07:55 AM

Hi All,

We notice a seemingly weird behaviour where modifying the notable severity in a correlation search brings up historic events to the "Incident Review" pane with the new severity. 

We use Enterprise Security ver. 5.3.0

To explain further with a hypothetical scenario

  1. Let's say A use case like "password violation on a critical asset" with a notable of informational severity fire 5 times a day on an average.
  2. This noon, I change severity from informational to high
  3. Navigating to the incident review and choosing a time period to 30 days(for instance) brings back 30 days worth of notables for this use case but with a high! severity (which is not right)
  4. Ideally we expect the events to be split across two severities namely information until noon today and high for any events after

Anyone faced this issue? Is this by design? Is there a solution to this?

Labels (2)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jhunter
Explorer
‎08-29-2020 02:48 PM

I will take a stab - 

Doing a search on `notable` - I don't see the severity field in the raw notable logs. 

This lead me to believe that severity is probably in a lookup table somewhere. 

I found a lookup table correlationsearches_lookup that I found the severity field is stored in. It would make sense that when you change the severity in content management, all notable events would be changed. as the Urgency would be derived from this severity.

For a solution see this: 

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

 

You can manually calculate the severity in the SPL of the correlation search which according to that document: 


"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

So in your password violation scenario you could do something like (pseudo code):

eval rightNow=now()   [get running time stamp]

eval severity=case(rightNow later than noon, "high", rightNow earlier than noon, "informational)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-29-2020 11:53 PM

check below thread.

 

https://community.splunk.com/t5/Splunk-Enterprise-Security/ES-notable-urgency-changing-for-old-notab...

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

vik_splunk
Communicator
‎09-02-2020 06:42 AM

Thanks! @thambisetty  appreciate the inputs

0 Karma
Reply
Solved! Jump to solution
Solution

Jhunter
Explorer
‎08-29-2020 02:48 PM

I will take a stab - 

Doing a search on `notable` - I don't see the severity field in the raw notable logs. 

This lead me to believe that severity is probably in a lookup table somewhere. 

I found a lookup table correlationsearches_lookup that I found the severity field is stored in. It would make sense that when you change the severity in content management, all notable events would be changed. as the Urgency would be derived from this severity.

For a solution see this: 

https://docs.splunk.com/Documentation/ES/6.2.0/User/Howurgencyisassigned

 

You can manually calculate the severity in the SPL of the correlation search which according to that document: 


"Severity defined in the search syntax results in an event where severity takes precedence over the severity defined in the notable event adaptive response action."

So in your password violation scenario you could do something like (pseudo code):

eval rightNow=now()   [get running time stamp]

eval severity=case(rightNow later than noon, "high", rightNow earlier than noon, "informational)

 

0 Karma
Reply
Solved! Jump to solution

Laszlo_K
Explorer
‎09-02-2020 07:14 AM

Another solution may be to add this (or a macro) at the end of the rule to get the severity from the lookup based on the search name:

| lookup correlationsearches_lookup rule_name as $search_name$ OUTPUTNEW severity

 

0 Karma
Reply
Solved! Jump to solution

vik_splunk
Communicator
‎09-02-2020 06:42 AM

Thanks @Jhunter  appreciate the inputs

0 Karma
Reply
Solved! Jump to solution

vik_splunk
Communicator
‎08-18-2020 02:28 AM

Ideas if any anyone? Kindly respond. Thanks!

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...