How urgency is assigned to notable events in Splunk Enterprise Security
Notable events are assigned an urgency level that is a combination of the severity of the correlation search and the priority assignment of the relevant asset or identity. If both the asset and identity in the notable event have an assigned priority, the higher priority is used to calculate the urgency. You can use the Urgency field to prioritize the investigation of notable events. This table provides an example of how the urgency values are calculated.
- If event severity is informational, the event urgency is informational, regardless of asset priority.
- If asset priority is unknown or low and event severity is unknown, low, or medium, the event urgency is low.
- If asset priority is unknown or low and event severity is high, the event urgency is medium.
- If asset priority is unknown or low and event severity is critical, the event urgency is high.
- If asset priority is unknown or low and event severity is critical, the event urgency is high.
- If asset priority is medium and event severity is unknown or low, the event urgency is low.
- If asset priority is medium and event severity is medium, the event urgency is medium.
- If asset priority is medium and event severity is high, the event urgency is high.
- If asset priority is medium and event severity is critical, the event urgency is critical.
- If asset priority is high and event severity is unknown, low, or medium, the event urgency is medium.
- If asset priority is medium and event severity is high, the event urgency is high.
- If asset priority is medium and event severity is critical, the event urgency is critical.
- If asset priority is critical and event severity is unknown or low, the event urgency is medium.
- If asset priority is critical and event severity is medium, the event urgency is high.
- If asset priority is critical and event severity is high or critical, the event urgency is critical.
When calculating the severity level, a notable event displays a default of "low" urgency when an asset or identity is categorized as "unknown." The "unknown" classification typically represents an object that has no match in the asset and identities system.
A notable event can be assigned an "unknown" urgency level if the priority value from the asset and identity lookups or the severity value assigned by the correlation search or in a triggering event is not recognized by Enterprise Security. Verify that the correlation search severity is unknown, informational, low, medium, high, or critical. Verify that the asset or identity priority is unknown, low, medium, high, or critical.
Modify notable event urgency
You can modify the urgency assigned to notable events in several ways.
Modify notable event severity in correlation search syntax
Potentially modify the urgency of a notable event by defining severity in the correlation search syntax. You must have access to edit correlation searches to make these changes.
For example, if you want to change the severity of a correlation search according to the number of failures in the search results. To set a "critical" severity when there are more than 100 failures, a high severity when there are more than 50 failures, and a medium severity for the rest of the results, add search syntax like the following example to the end of the correlation search:
... | eval severity=case(failure>100,"critical",failure>50,"high",failure<=50,"medium")
Severity defined in the search syntax takes precedence over the severity defined in the notable event adaptive response action.
Modify the urgency lookup directly
You can change which severity and priority values result in which calculated urgency values for notable events in Splunk Enterprise Security.
Only specific values are valid for severity or priority values. Use only those values when modifying the lookup. Do not modify the names of the notable event urgency values.
- Valid severity values: unknown, informational, low, medium, high, critical.
- Valid priority values: unknown, low, medium, high, critical.
- Valid urgency values: informational, low, medium, high, critical.
- On the Enterprise Security menu bar, select Configure > Content > Content Management.
- Choose the Urgency Levels lookup. An editable, color coded table representing the urgency lookup file displays.
- In any row where the priority or severity is listed as unknown, review the assigned urgency.
- (Optional) Edit the table and change the urgency to another one of the accepted values. All urgency values must be lower case.
- Click Save.
Included adaptive response actions with | Investigations in |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1
Feedback submitted, thanks!