Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Notable events

When a correlation search included in the Splunk App for PCI Compliance (or added by a user) identifies an event or pattern of events, it creates a notable event. Correlation searches filter the IT security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events. The app includes pre-configured correlation searches to create notable events, and lets you add your own.

Correlation searches run at regular intervals (for example, every hour) or continuously in real-time and search events for a particular pattern or type of activity. The notable event is stored in a dedicated notable index, which is implemented as a summary index in Splunk Enterprise. The Incident Review dashboard is used to view and act on notable events. A notable event might be a single event of high importance, such as any activity from a known web attacker, or an aggregate of multiple events that together warrant review, such as a high number of authentication failures on a single host followed by a successful authentication.

Es-Graphic NotableEvents.png

When notable events are created, relevant information from the asset list is combined with the event information. To help to further identify important patterns, correlation searches are each assigned a "severity" of informational, low, medium, high, or critical. Notable events are assigned an "urgency", based on the severity of the event and the priority of the asset corresponding to the event.

ESS event severity.png

  • If Event Severity is Informational, the Event Urgency is Informational, regardless of Asset Priority
  • If Asset Priority is Unknown or Low and Event Severity is Unknown, Low, or Medium, the Event Urgency is Low
  • If Asset Priority is Unknown or Low and Event Severity is High, the Event Urgency is Medium
  • If Asset Priority is Unknown or Low and Event Severity is Critical, the Event Urgency is High
  • If Asset Priority is Unknown or Low and Event Severity is Critical, the Event Urgency is High
  • If Asset Priority is Medium and Event Severity is Unknown or Low, the Event Urgency is Low
  • If Asset Priority is Medium and Event Severity is Medium, the Event Urgency is Medium
  • If Asset Priority is Medium and Event Severity is High, the Event Urgency is High
  • If Asset Priority is Medium and Event Severity is Critical, the Event Urgency is Critical
  • If Asset Priority is High and Event Severity is Unknown, Low, or Medium, the Event Urgency is Medium
  • If Asset Priority is Medium and Event Severity is High, the Event Urgency is High
  • If Asset Priority is Medium and Event Severity is Critical, the Event Urgency is Critical
  • If Asset Priority is Critical and Event Severity is Unknown or Low, the Event Urgency is Medium
  • If Asset Priority is Critical and Event Severity is Medium, the Event Urgency is High
  • If Asset Priority is Critical and Event Severity is High or Critical, the Event Urgency is Critical

Note: Correlation searches do not use the calculated severity described if the events being searched contain a severity value (that is, a field named "severity").

How to suppress notable events

In some cases, you might want to prevent certain types of notable events from appearing on the Incident Review dashboard or contributing to alert thresholds. To do this, you need to create a notable event suppression. See "Suppressing notable events" in this manual.

PREVIOUS
Create new correlation searches
  NEXT
Configure Incident Workflow

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters