Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

How urgency is assigned to notable events in Splunk Enterprise Security

Notable events are assigned an urgency level that is a combination of the severity of the correlation search and the priority assignment of the relevant asset or identity. If both the asset and identity in the notable event have an assigned priority, the higher priority is used to calculate the urgency. You can use the Urgency field to prioritize the investigation of notable events. This table provides an example of how the urgency values are calculated.

A table showing the urgency values that result from the correlation search severity and asset or identity priority in the notable event.

  • If event severity is informational, the event urgency is informational, regardless of asset priority.
  • If asset priority is unknown or low and event severity is unknown, low, or medium, the event urgency is low.
  • If asset priority is unknown or low and event severity is high, the event urgency is medium.
  • If asset priority is unknown or low and event severity is critical, the event urgency is high.
  • If asset priority is unknown or low and event severity is critical, the event urgency is high.
  • If asset priority is medium and event severity is unknown or low, the event urgency is low.
  • If asset priority is medium and event severity is medium, the event urgency is medium.
  • If asset priority is medium and event severity is high, the event urgency is high.
  • If asset priority is medium and event severity is critical, the event urgency is critical.
  • If asset priority is high and event severity is unknown, low, or medium, the event urgency is medium.
  • If asset priority is medium and event severity is high, the event urgency is high.
  • If asset priority is medium and event severity is critical, the event urgency is critical.
  • If asset priority is critical and event severity is unknown or low, the event urgency is medium.
  • If asset priority is critical and event severity is medium, the event urgency is high.
  • If asset priority is critical and event severity is high or critical, the event urgency is critical.

When calculating the severity level, a notable event displays a default of "low" urgency when an asset or identity is categorized as "unknown." The "unknown" classification typically represents an object that has no match in the asset and identities system.

A notable event can be assigned an "unknown" urgency level if the priority value from the asset and identity lookups or the severity value assigned by the correlation search or in a triggering event is not recognized by Enterprise Security. Verify that the correlation search severity is unknown, informational, low, medium, high, or critical. Verify that the asset or identity priority is unknown, low, medium, high, or critical.

Modify notable event urgency

You can modify the urgency assigned to notable events in several ways.

Modify notable event severity in correlation search syntax

Potentially modify the urgency of a notable event by defining severity in the correlation search syntax. You must have access to edit correlation searches to make these changes.

For example, if you want to change the severity of a correlation search according to the number of failures in the search results. To set a "critical" severity when there are more than 100 failures, a high severity when there are more than 50 failures, and a medium severity for the rest of the results, add search syntax like the following example to the end of the correlation search:

... | eval severity=case(failure>100,"critical",failure>50,"high",failure<=50,"medium")

Severity defined in the search syntax takes precedence over the severity defined in the notable event adaptive response action.

Modify the urgency lookup directly

You can change which severity and priority values result in which calculated urgency values for notable events in Splunk Enterprise Security.

Only specific values are valid for severity or priority values. Use only those values when modifying the lookup. Do not modify the names of the notable event urgency values.

  • Valid severity values: unknown, informational, low, medium, high, critical.
  • Valid priority values: unknown, low, medium, high, critical.
  • Valid urgency values: informational, low, medium, high, critical.
  1. On the Enterprise Security menu bar, select Configure > Content > Content Management.
  2. Choose the Urgency Levels lookup. An editable, color coded table representing the urgency lookup file displays.
  3. In any row where the priority or severity is listed as unknown, review the assigned urgency.
  4. (Optional) Edit the table and change the urgency to another one of the accepted values. All urgency values must be lower case.
  5. Click Save.
PREVIOUS
Included adaptive response actions with Splunk Enterprise Security
  NEXT
Investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters