Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manually create a notable event in Splunk Enterprise Security

You can manually create a notable event from an indexed event, or create one from scratch.

Note: By default, only administrators with the edit_reviewstatuses capability can manually create notable events. To grant other users this capability, see Configure users and roles in the Installation and Upgrade Manual.

Create a notable event from an existing event

You can create a notable event from any indexed event using the Event Actions menu. Do not create a notable event from notable events on the Incident Review dashboard.

  1. From an event, view the event details and click Event Actions.
  2. Select Create notable event.
  3. Enter a Title for the event.
  4. (Optional) Select a security Domain.
  5. (Optional) Select an Urgency level.
  6. (Optional) Select an Owner.
  7. (Optional) Select a Status.
  8. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
  9. Save the new notable event. The Incident Review dashboard displays with your new notable event.

Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.

Create a notable event from scratch

Create a notable event based on observations, a finding from a security system outside Splunk, or something else.

  1. Select Configure > Incident Management > New Notable Event.
  2. Enter a Title for the event.
  3. (Optional) Select a security Domain.
  4. (Optional) Select an Urgency level.
  5. (Optional) Select an Owner.
  6. (Optional) Select a Status.
  7. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
  8. Save the new notable event. The Incident Review dashboard displays with your new notable event.

Add custom properties to a notable event

Add custom properties to a notable event using the eval command in an SPL search. , Adding specific properties to the notable using the eval command maps these properties to the output of the notable. For example: Use the following search to set a custom security_domain, urgency level, severity level, risk_object, risk_object_type, and risk_score to the notable called "Doc Test Notable".

| stats count | eval rule_title="Docs Test Notable", security_domain="audit", urgency="critical", severity="high", risk_object="compromised-laptop", risk_object_type="system", risk_score=45 | sendalert notable param.mapfields=rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions

The param.mapfields does not map the rule_title to the orig_rule_title. Instead, you can use the search parameter eval rule_title="Docs Test Notable" to invoke the rule title.


Ensure that the property that you add to the notable is customizable. Otherwise, the Incident Review page may have trouble loading.

Add a custom title to a notable event

Add a custom title to a notable event using a search to avoid using a generic title like: "Manual Notable Event- Rule". For example: Use the following search to set a custom title to the notable.

| stats count | eval rule_title="Custom title" | sendalert notable param.mapfields=rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions

Therefore, the param.mapfields does not map the rule_title to the orig_rule_title. Instead, you can use the search parameter eval rule_title="Custom title" to invoke the rule title.

Use the owner field in a Splunk event to create a notable event with said owner

Normally in a correlation search, the owner field automatically maps to orig_owner. If you have some Splunk events, doesn't matter where they came from, and you want the owner field of the Splunk event to be the owner of the notable event, it is crucial that the value of the owner field is a Splunk username. To use the owner field in a Splunk event to create a notable event with said owner, remove the owner field from the list of notable mapfields.

Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf: 

## savedsearches.conf
[Threat – My Correlation – Rule]
…
action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions
…

For example, if you have a CSV lookup that contains the "owner" field for assigning the new owners, then you can dynamically update the owner of an event in incident review by updating the lookup using a search similar to this one:

| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner

Pinpoint the original event via drill-down

If you are creating a notable event from a raw event, you can pinpoint the specific raw event that contributed to the notable event.

When certain fields exist such as orig_event_hash, a secondary drill-down link is automatically constructed for you called "View original event." If the correct fields are passed with the notable event you can construct a very performant search for getting back to the original event.

The following fields come into play:

  • orig_time (optional)
  • orig_index (optional)
  • orig_indexer_guid (optional)
  • orig_event_hash (required)

The orig_time and orig_index are automatically created if you pass _time and index respectively. This is because _time and index are included in the default set of mapfields. For indexer_guid and event_hash you will either need to manually rename to orig_<field> or add them to mapfields as appropriate.

Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf: 

## savedsearches.conf
[Threat – My Correlation – Rule]
…
action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,owner,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions,indexer_guid,event_hash
…

Create short IDs for notable events

Short IDs map to the URL of the notable event. Use short IDs to quickly access and share the notable event with other analysts to make investigations easier. The short ID is stored in the KVStore lookup notable_xref_lookup.

Create a short ID use one of the following methods:

(i) Automatically generate short IDs using the Splunk Enterprise Security UI (ii) Update the notable_xref_lookup (iii)Use REST API option

Alternatively, you can also use the event_ID to create a direct URL to the notable event instead of creating a short ID.

Generate short IDs using the Splunk Enterprise Security UI

Follow these steps to automatically create a 6 digit short ID to identify a notable:

  1. In Enterprise Security, navigate to the Incident Review page.
  2. Expand the notable to which you want to add a short ID.
  3. Scroll to Event Details and click Create Short ID.

A 6 digit alpha-numeric hash short ID is automatically created for the notable. You can use the short ID to filter notables.

You can also share a short ID for a notable event with other analysts using a link. For more information on sharing the short ID, see Take action on a notable event on Incident Review in Splunk Enterprise Security.

For upgrade notes on short IDs, see After upgrading to version 7.0.0

Create a short ID by updating the KV Store lookup

Insert the following row in the notable_xref_lookup KV Store lookup to map the event_id to the short ID: 

lookup update=true notable_xref_lookup event_id OUTPUTNEW xref_name as notable_xref_name,xref_id as notable_xref_id

Create a short ID using the REST API option

Use the POST method to request that /servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/notable_xref accept the following parameters:

  • event_id
  • notable_time
  • xref_id
  • xref_label
  • xref_name
  • short_id

REST API option is not recommended since undocumented interfaces might be upgraded without notice.

Create a direct URL based on the event_iD instead of a short ID

Build a direct URL based on the event_iD without generating a short ID, if the event_iD is available on the system.

You can obtain the event_iD from the Event Details of the notable event in the Incident Review page.

For example: If the event_iD is: C23DA49F-BBDE-48DD-A0FB-315E79CF4E40@@notable@@12a19ead7f50228b91fc4a649b0ab080
then the URL is: https://soln-esnightly1.sv.splunk.com:8000/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=-24h%40h&latest=now&type=risk_event&event_id=C23DA49F-BBDE-48DD-A0FB-315E79CF4E40@@notable@@12a19ead7f50228b91fc4a649b0ab080

Last modified on 28 November, 2022
Customize Incident Review in Splunk Enterprise Security   Customize notable event settings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters