Solved: Re: Is it possible to have a token in the saved se...

MikeElliott · ‎11-21-2019

Hi Team,

A potentially unusual question here! I'm working to develop a saved search that picks up GuardDuty alerts. The saved search needs to be mapped against a threat framework like MITRE ATT&CK, and I was wondering if I can be lazy and have "One Rule to Rule Them All" so to speak.

Does anyone know if it is possible to have a token in the saved search name that will be completed based on the contents of a field value?

Example GuardDuty event types:

Recon:IAMUser/ResourcePermissions
Recon:IAMUser/UserPermissions
Persistence:IAMUser/NetworkPermissions

I'd love to be able to then use something like a regex to extract the first and last parts of the event type and pass them to a token in the saved search name, e.g.

GuardDuty:Recon:ResourcePermissions:XXX:YYY:ZZZ
GuardDuty:Persistence:NetworkPermissions:XXX:YYY:ZZZ

Unfortunately, different alerts for different event types are not an option in this scenario and the only other alternative I can see is to have a generic word there, but that's not overly descriptive to someone picking up the alert.

This would also be taking place in Splunk Cloud, and so the only changes we can make are via the front-end GUI.

Has anyone got any suggestions?

Kind regards,
Mike

aberkow · ‎11-22-2019

From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:

$result.fieldname$ :
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.

Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.

Hope this helps!

View solution in original post

woodcock · ‎11-22-2019

I like @aberkow's answer but perhaps you are asking something slightly different (it really is unclear). You may not be aware that you can save searches with tokens in them and these searches are un-runable directly but other searches can run them so that the real code is all stored in one place. Search for replacement here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Savedsearch

aberkow · ‎11-22-2019

From what I'm understanding you want to add in a token from your result into your alert notification? That sounds pretty similar to what this page describes: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/EmailNotificationTokens#Result_tokens:

$result.fieldname$ :
First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.

Example: There were $result.count$ login issues on $result.host$ in the past 5 minutes.

Hope this helps!

MikeElliott · ‎11-25-2019

Thank you for your answer - This was really helpful! 😄

jacksonrolfe1 · ‎01-12-2022

@MikeElliott Did you end up finding a solution too this?

MikeElliott · ‎11-21-2019

So in theory, the tokenised saved search name would look like:

GuardDuty:$Token1$:$Token2$:XXX:YYY:ZZZ

Is it possible to have a token in the saved search name that will be completed based on contents of a field value?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk