In Splunk Enterprise Security, the Urgency levels for the out-of-the-box Risk notables will not be assigned correctly. Add this simple solution to fix it.
By default, a risk object’s priority is not taken into account for the Urgency of a Notable event, even if it is configured in the Asset and Identity (A&I) database. The Notable Event’s Urgency level can help an analyst prioritize which events to begin working on. Although other fields can help filter higher-priority events, it’s also a good idea to have the Urgency field to use when needed.
The Urgency level is a combination of an Asset/Identity’s priority plus the severity of the event. The default Urgency Lookup can be found in Content Management in the Enterprise Security App. Only the following fields are used to determine priority:
- For identities
- For assets
Figure 1: Urgency Matrix
In the following example, the risk_object
[email protected] is listed as a “critical” priority user in the Identity Database (see Figure 2: Critical Priority User).
Figure 2: Critical Priority User -
And although the severity of the event is high, a medium level of Urgency is produced (see Figure 1: Urgency Matrix).
High severity + Critical priority = Critical urgency
The actual Urgency level is set to “Medium” since a valid field (user/src_user) is not found within the event. This interprets the user priority as “unknown.”
High severity + Unknown priority = Medium urgency
The solution is quite simple. By adding a few lines of SPL to the Risk Notables, the Urgency level works as intended.
1 2 3 4 ... | eval user=case(risk_object_type=="user", risk_object), src=case(isnull(user), risk_object)
Depending on the
risk_object_type either the
src field will be populated with the risk_object allowing for the urgency level to be set correctly.
The Urgency level of the event now aligns with the expected results, and we now see a “Critical” urgency.
By adding a few lines of SPL, you can correct the behavior of Risk Notables by not setting the correct Urgency Level. This will give you another way to triage events and gain the ability to represent criticality in your Incident Review dashboard more accurately.
We have a whole community dedicated to Splunk RBA. Feel free to join us and our upcoming meetings!
Visit https://rba.community/ to learn more.