Splunk ES: Risk Notable Urgency

In Splunk Enterprise Security, the Urgency levels for the out-of-the-box Risk notables will not be assigned correctly. Add this simple solution to fix it.

Splunk Enterprise Security Notable Event Urgency.

By default, a risk object's priority is not taken into account for the Urgency of a Notable event, even if it is configured in the Asset and Identity (A&I) database. The Notable Event's Urgency level can help an analyst prioritize which events to begin working on. Although other fields can help filter higher-priority events, it's also a good idea to have the Urgency field to use when needed.

The Urgency level is a combination of an Asset/Identity's priority plus the severity of the event. The default Urgency Lookup can be found in Content Management in the Enterprise Security App. Only the following fields are used to determine priority:

  • For identities: user or src_user
  • For assets: dest, src, or dvc
Urgency Matrix
Figure 1: Urgency Matrix
Reference: https://docs.splunk.com/Documentation/ES/7.1.0/User/Howurgencyisassigned

Example

In the following example, the risk_object [email protected] is listed as a "critical" priority user in the Identity Database (see Figure 2: Critical Priority User).

Critical Priority User - alexisc@zachthesplunker.com
Figure 2: Critical Priority User - [email protected]

And although the severity of the event is high, a medium level of Urgency is produced (see Figure 1: Urgency Matrix).

Severity = medium
Priority = critical
Expected Urgency Level = critical
According to Urgency Matrix (Figure 1: Urgency Matrix), the expected result.
The actual Urgency level is set to "Medium" since a valid field (user/src_user) is not found within the event. This interprets the user priority as "unknown" (unknown priority + high severity = medium urgency).

Incident Review - Risk Notable
Figure 3: Incident Review - Risk Notable

Solution

The solution is quite simple. By adding a few lines of SPL to the Risk Notables, the Urgency level works as intended.

...
| eval
    user=case(risk_object_type=="user", risk_object),
    src=case(isnull(user), risk_object)

Depending on the risk_object_type either the user or src field will be populated with the risk_object allowing for the urgency level to be set correctly.

The Urgency level of the event now aligns with the expected results, and we now see a "Critical" urgency.
Incident Review - Risk Notable - Correct Urgency
Figure 4: Incident Review - Risk Notable - Correct Urgency

Conclusion

By adding a few lines of SPL, you can correct the behavior of Risk Notables by not setting the correct Urgency Level. This will give you another way to triage events and gain the ability to represent criticality in your Incident Review dashboard more accurately.


💡
We have a whole community dedicated to Splunk RBA. Feel free to join us and our upcoming meetings!

Visit https://rba.community to learn more!
The RBA Community