Splunk ES: Risk Notable Urgency
In Splunk Enterprise Security, the Urgency levels for the out-of-the-box Risk notables will not be assigned correctly. Add this simple solution to fix it.

By default, a risk object's priority is not taken into account for the Urgency of a Notable event, even if it is configured in the Asset and Identity (A&I) database. The Notable Event's Urgency level can help an analyst prioritize which events to begin working on. Although other fields can help filter higher-priority events, it's also a good idea to have the Urgency field to use when needed.
The Urgency level is a combination of an Asset/Identity's priority plus the severity of the event. The default Urgency Lookup can be found in Content Management in the Enterprise Security App. Only the following fields are used to determine priority:
- For identities:
user
orsrc_user
- For assets:
dest
,src
, ordvc

Example
In the following example, the risk_object [email protected]
is listed as a "critical" priority user in the Identity Database (see Figure 2: Critical Priority User).

And although the severity of the event is high, a medium level of Urgency is produced (see Figure 1: Urgency Matrix).
Severity = medium
Priority = critical
Expected Urgency Level = critical

Solution
The solution is quite simple. By adding a few lines of SPL to the Risk Notables, the Urgency level works as intended.
...
| eval
user=case(risk_object_type=="user", risk_object),
src=case(isnull(user), risk_object)
Depending on the risk_object_type
either the user
or src
field will be populated with the risk_object allowing for the urgency level to be set correctly.

Conclusion
By adding a few lines of SPL, you can correct the behavior of Risk Notables by not setting the correct Urgency Level. This will give you another way to triage events and gain the ability to represent criticality in your Incident Review dashboard more accurately.
Visit https://rba.community to learn more!
