I want to check the severity of notable events so that I can hardcode the value of urgency without using lookups.
Is there a way to check urgency of notable events ?
Hi @snigdhasaxena,
Please refer this document http://docs.splunk.com/Documentation/ES/5.1.0/User/Howurgencyisassigned, you will get answer.
Hi,
Thanks for responding but I want to see severity tagged to each notable event and not how it is assigned.
Do we have any field which corresponds to severity values.
Ok, if I am understanding your requirement correctly you would like to know severity
of all notable events and not urgency
. In this case while looking at ES structure when you create Correlation Search and add Adaptive Response as Notable, at that time you need select the severity and that severity will be assigned to all notable events generated by that Correlation search.
When correlation search runs and if any events found and if you have selected Adaptive response as notable then all those output events of correlation search goes to notable
index and if you would like to know the severity
of those notable events in that case you can run below query.
index=notable | lookup correlationsearches_lookup _key AS search_name OUTPUTNEW severity
If left to Splunk defaults, the severities should be calculated based on the severity assigned to the notable event, cross referenced with the priorities of affected assets and users.
However, you can manually set a severity value by using a field called "severity", which Splunk will use as the severity value. This can be useful for when you want to dynamically change the severity based on other factors, such as a CVE score on an IDS detection.
e.g.
...|eval severity=case(cvs_score>9, "critical", cvs_score>7, "high", cvs_score>4, "medium", cvs_score>0, "low", 1==1, "unknown")
It is also worth noting that some IDS/IPS/AV systems use a severity field by default which overrides the ES calculated severity. Where this is not desired, it is worth renaming the field in the logs to something like:
...|rename severity as orig_severity