Splunk Enterprise Security

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

rphillips_splk
Splunk Employee
Splunk Employee

The ES Incident Review page still lists deleted Correlation Searches Names in the Multiselect box "Correlation Search Name". We'd like to not see these correlation searches in this filter box after we delete them.

1 Solution

rphillips_splk
Splunk Employee
Splunk Employee
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

View solution in original post

TamasDubicz
Engager

We have faced with the same issue. The solution was to change ESCU permission level to "App" from "Global".

0 Karma

Art
Engager

With ES version 7+ containing a redesigned Incident Review dashboard the previous solution of modifying correlationsearches_lookup seems to no longer apply.  We would like the ability to remove correlation searches from the drop down list.  For example, we desire to remove disabled correlation searches and are seeking a work around.   

vhallan_splunk
Splunk Employee
Splunk Employee

When raising this with Splunk Support please reference SOLNESS-15144

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

rphillips_splk
Splunk Employee
Splunk Employee

Steps to repro:
1. Create a correlation search
2. View the Incident Review page and click the multi select filter box for "Correlation Search Name" and find the correlation search
3. Delete the correlation search
4. The deleted correlation search still shows up in the filter box on the Incident Review page

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...