Hi,
This question relates to:
- Splunk Enterprise 6.4.1
- Splunk ES 4.1.1
I am trying to generate a list of existing correlation searches which includes the following details:
* Title
* Description
* Severity
* Status (enabled / disabled)
* Risk Object field (optional, but nice to have)
* Risk Object Type
* Risk Score
I have put together the following:
|rest /services/alerts/correlationsearches|rename eai:acl:app as application, title as csearch_name |join type=outer app csearch_name [rest /services/saved/searches| rename eai:acl:app as application, title as csearch_name, search as csearch|table app, csearch_name, csearch, disabled]|eval status=(if(disabled==1,"Disabled","Enabled")|table app security_domain, rule_title, csearch_name, description, severity, csearch, disabled, status
This produces something like:
security_domain rule_title csearch_name description severity csearch disabled status
access Account Deleted Access - Account Deleted - Rule Detects user and computer account deletion medium [search content here] 1 Disabled
Which gives me part of what I want, but I am unsure how to pull in the risk scores attached to the correlation search.
How does Splunk tie the risk scores into the correlation search, and how would I go about attaching it to the search?
↧