How urgency is assigned to notable events in Splunk Enterprise Security
Notable events are assigned an urgency level that is a combination of the severity of the correlation search and the priority assignment of the relevant asset or identity. If both the asset and identity in the notable event have an assigned priority, the higher priority is used to calculate the urgency. You can use the Urgency field to prioritize the investigation of notable events. This table provides an example of how the urgency values are calculated.
- If event severity is informational, the event urgency is informational, regardless of asset priority.
- If asset priority is unknown or low and event severity is unknown, low, or medium, the event urgency is low.
- If asset priority is unknown or low and event severity is high, the event urgency is medium.
- If asset priority is unknown or low and event severity is critical, the event urgency is high.
- If asset priority is unknown or low and event severity is critical, the event urgency is high.
- If asset priority is medium and event severity is unknown or low, the event urgency is low.
- If asset priority is medium and event severity is medium, the event urgency is medium.
- If asset priority is medium and event severity is high, the event urgency is high.
- If asset priority is medium and event severity is critical, the event urgency is critical.
- If asset priority is high and event severity is unknown, low, or medium, the event urgency is medium.
- If asset priority is medium and event severity is high, the event urgency is high.
- If asset priority is medium and event severity is critical, the event urgency is critical.
- If asset priority is critical and event severity is unknown or low, the event urgency is medium.
- If asset priority is critical and event severity is medium, the event urgency is high.
- If asset priority is critical and event severity is high or critical, the event urgency is critical.
Correlation searches do not use the calculated severity described if the events being searched contain a severity field.
When calculating the severity level, a notable event displays a default of "low" urgency when an asset or identity is categorized as "unknown." The "unknown" classification typically represents an object that has no match in the asset and identities system.
A notable event can be assigned an unknown urgency level if the severity value assigned by the correlation search or in a triggering event is not recognized by Enterprise Security. This indicates an error in the severity value provided by the correlation search syntax. Verify that the correlation search severity is unknown, informational, low, medium, high, or critical.
Modify notable event urgency
You can change which severity and priority values result in which calculated urgency values for notable events in Enterprise Security. Do not modify the names of the notable event urgency values.
- On the Enterprise Security menu bar, select Configure > Data Enrichment > Lists and Lookups.
- Click the Urgency Levels lookup.
An editable, color coded table representing the urgency lookup file displays. - In any row where the priority or severity is listed as unknown, review the assigned Urgency.
- (Optional) Edit the table and change the Urgency from unknown to one of the other accepted values. All urgency values must be lower case.
- Save the changes
Included adaptive response actions with | Investigations in |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Feedback submitted, thanks!