Splunk Enterprise Security
Highlighted

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

Splunk Employee
Splunk Employee

The ES Incident Review page still lists deleted Correlation Searches Names in the Multiselect box "Correlation Search Name". We'd like to not see these correlation searches in this filter box after we delete them.

Highlighted

Re: Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

Splunk Employee
Splunk Employee

Steps to repro:
1. Create a correlation search
2. View the Incident Review page and click the multi select filter box for "Correlation Search Name" and find the correlation search
3. Delete the correlation search
4. The deleted correlation search still shows up in the filter box on the Incident Review page

0 Karma
Highlighted

Re: Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

Splunk Employee
Splunk Employee
  • This was built by design because currently the list is populated based on "any correlation we've ever known about"
  • This was done because you could potentially have notable events for that correlation even though the correlation was deleted
  • There's a proposed enhancement under SOLNESS-12987 to switch this over to a list that's more intelligent using the notable events on the system

Workaround:
1.) make sure there are no outstanding notable events tied to this correlation search
2.) remove the correlation search from the kvstore with an inputlookup / outputlookup by the _key for that correlation search

Example for correlation search "UC-104-TEST"
Process:
1) Find the key for the correlation search (e.g. "UC-104-TEST")
| inputlookup correlationsearches_lookup
| search rule_name = "UC-104-TEST"
| table _key, rule_name

Returns:
"Threat - UC-104-TEST - Rule" for the _key field

2) Delete the correlation search by using the key
| inputlookup correlationsearches_lookup
| search _key!="Threat - UC-104-TEST - Rule"
| outputlookup correlationsearches_lookup

View solution in original post

Highlighted

Re: Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

Splunk Employee
Splunk Employee

When raising this with Splunk Support please reference SOLNESS-15144

0 Karma