Post

Splunk ES: Risk Notable Urgency

Posted Updated
Preview Image
By Zachary Christensen 2 min read

In Splunk Enterprise Security, the Urgency levels for the out-of-the-box Risk notables will not be assigned correctly. Add this simple solution to fix it.

By default, a risk object’s priority is not taken into account for the Urgency of a Notable event, even if it is configured in the Asset and Identity (A&I) database. The Notable Event’s Urgency level can help an analyst prioritize which events to begin working on. Although other fields can help filter higher-priority events, it’s also a good idea to have the Urgency field to use when needed.

The Urgency level is a combination of an Asset/Identity’s priority plus the severity of the event. The default Urgency Lookup can be found in Content Management in the Enterprise Security App. Only the following fields are used to determine priority:

For identities
user or src_user
For assets
dest, src, or dvc

Notable Urgency Matrix Figure 1: Urgency Matrix

Problem Example

In the following example, the risk_object [email protected] is listed as a “critical” priority user in the Identity Database (see Figure 2: Critical Priority User).

Critical Priority User Figure 2: Critical Priority User - [email protected]

And although the severity of the event is high, a medium level of Urgency is produced (see Figure 1: Urgency Matrix).

Expected Result

High severity + Critical priority = Critical urgency

Actual Result

The actual Urgency level is set to “Medium” since a valid field (user/src_user) is not found within the event. This interprets the user priority as “unknown.”

High severity + Unknown priority = Medium urgency

Incident Review Figure 3: Incident Review - Risk Notable

Solution

The solution is quite simple. By adding a few lines of SPL to the Risk Notables, the Urgency level works as intended.

1
2
3
4

...
| eval 
    user=case(risk_object_type=="user", risk_object),
    src=case(isnull(user), risk_object)

Depending on the risk_object_type either the user or src field will be populated with the risk_object allowing for the urgency level to be set correctly.

The Urgency level of the event now aligns with the expected results, and we now see a “Critical” urgency.

Incident Review - Correct Urgency Figure 4: Incident Review - Risk Notable - Correct Urgency

Conclusion

By adding a few lines of SPL, you can correct the behavior of Risk Notables by not setting the correct Urgency Level. This will give you another way to triage events and gain the ability to represent criticality in your Incident Review dashboard more accurately.

We have a whole community dedicated to Splunk RBA. Feel free to join us and our upcoming meetings!

Visit https://rba.community/ to learn more.

The RBA Community The RBA Community

Walk-through
rba enterprise security
This post is licensed under CC BY 4.0 by the author.