Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cycognito not raising an alerts?

AL3Z
Builder
‎02-01-2024 09:27 AM

Hi all,

How can we resolve the issue of Cycognito Correlation search not triggering any alerts in Splunk over the past month?

index= cycog sourcetype="cycognito:issue" severity="Critical"
| stats count, values(affected_asset) as affected_asset, values(title) as title, values(summary) as description, values(severity) as severity, values(confidence) as confidence, values(detection_complexity) as detection_complexity, values("evidence.evidence") as evidence, values(exploitation_method) as exploitation_method, earliest(first_detected) as first_detected, latest(last_detected) as last_detected, values(organizations) as organization by cycognito_id
| eval date_found=strptime(first_detected,"%Y-%m-%dT%H:%M:%S.%QZ")
| eval control_time = relative_time(now(), "-24h")
| where date_found >control_time

AL3Z_1-1706808226047.png

 

AL3Z_0-1706808117129.png

Thanks in advance..



Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2024 10:15 AM

When you run the search manually, does it detect any Critical events?  If not, then the alert won't trigger.  Debug the query one pipe at a time to see where it fails to detect the desired events.

Does the alert write to the Triggering Alerts dashboard?  If so, are you seeing anything there?

Is it possible all of the detected events have an ID that were previously reported and are now throttled?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎02-01-2024 09:52 PM

@richgalloway ,

Hi

When I manually execute the search, I noticed that by excluding the last line from the search query, I am able to visualize the critical events successfully. Nevertheless, despite this observation, it's worth noting that there are no alerts appearing in the incident review panel dashboard.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2024 09:48 AM

The last line is the one that determines if the event happened in the last 24 hours or not.  If the results fail that test then there's no need for the alert to trigger.  Sounds like it's working as intended, but maybe the intentions aren't clear?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...