Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

rphillips_splk
Splunk Employee
Splunk Employee
‎04-19-2018 10:31 AM

The ES Incident Review page still lists deleted Correlation Searches Names in the Multiselect box "Correlation Search Name". We'd like to not see these correlation searches in this filter box after we delete them.

Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎04-19-2018 10:34 AM
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

View solution in original post

Reply
Solved! Jump to solution

TamasDubicz
Engager
‎05-05-2023 05:10 AM

We have faced with the same issue. The solution was to change ESCU permission level to "App" from "Global".

0 Karma
Reply
Solved! Jump to solution

Art
Engager
‎03-22-2023 01:09 PM

With ES version 7+ containing a redesigned Incident Review dashboard the previous solution of modifying correlationsearches_lookup seems to no longer apply.  We would like the ability to remove correlation searches from the drop down list.  For example, we desire to remove disabled correlation searches and are seeking a work around.   

Reply
Solved! Jump to solution

vhallan_splunk
Splunk Employee
Splunk Employee
‎03-01-2019 08:09 AM

When raising this with Splunk Support please reference SOLNESS-15144

0 Karma
Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎04-19-2018 10:34 AM
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎04-19-2018 10:32 AM

Steps to repro:
1. Create a correlation search
2. View the Incident Review page and click the multi select filter box for "Correlation Search Name" and find the correlation search
3. Delete the correlation search
4. The deleted correlation search still shows up in the filter box on the Incident Review page

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...