Customize notable event settings in Splunk Enterprise Security
As a Splunk Enterprise Security administrator, you can make configuration changes to notable events.
- Change notable event fields.
- Manage notable event statuses.
- Create and manage notable event suppressions.
Use the Permissions page to view and assign Enterprise Security capabilities to non-admin roles and edit or update notable events. For more information, see Manage permissions in Splunk Enterprise Security.
Change notable event fields
Make changes to the fields displayed on the Incident Review dashboard for notable events on the Incident Review Settings dashboard. For example, change the label of a field in the notable event details, remove a field, or add a field to the Additional Fields section of the notable event details. Changes that you make to notable event fields affect all notable events.
- From the menu bar, select Configure > Incident Management > Incident Review Settings.
- Review the Incident Review - Event Attributes.
- Click Edit to change a field or the label for a specific field that appears on Incident Review.
- Click Remove to remove a field from the notable event details on the Incident Review dashboard.
- Click Save to save your changes.
Add a field to the notable event details
A field appears in the Additional fields of the notable event details if the field exists in the correlation search results and Incident Review can display the field. To add a field to the notable event details, first make sure that the correlation search results include the field and then make sure that Incident Review can display the field.
- Determine if the field you want to see is included in the correlation search results. Run the correlation search on the Search page to review the output or the search syntax.
- If the field exists in the search results, go to step four.
- If the field does not exist in the search results, go to step two.
- Modify the correlation search to include the field.
- If you can edit the search with the guided search editor, add the field as an aggregate function with an alias. Use the values function to return all possible values of a given field, or the latest function to return the most recent value for the field.
- If you created the search manually, modify the search to extract the fields. Make sure that you do not modify the correlation criteria when you modify the search.
- If the search does not include statistical transformations, add
| fields + newfieldname
to the end of the search, wherenewfieldname
is the name of the new field you want to see in the additional details. - If the search does include statistical transformations, extract the fields when you perform the statistical transformation.
- If the search does not include statistical transformations, add
- Verify changes to correlation searches on the Search page before saving them.
- Add the field to the list of additional fields.
- From the menu bar, select Configure > Incident Management > Incident Review Settings.
- Click Add new entry to add the new field to the Additional Fields section of the notable event details.
- Type a Label to use as the display name of the field in the notable event details.
- Type a Field to match the field that you want to appear in the notable event details.
- Click Done.
- Click Save.
SPL search to verify the additional fields
Use the following search to get a list of all of the active Additional Fields.
| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review
| fields event_attributes
| eval d=split(event_attributes, "},")
| rex field=d max_match=0 "field\"\s*:\s*\"(?<field>[^\"]+)"
| rex field=d max_match=0 "label\"\s*:\s*\"(?<label>[^\"]+)"
| eval mv=mvzip(field,label)
| fields mv
| mvexpand mv
| eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1)
| table field, label
A truncated example response follows.
field | label |
---|---|
action | Action |
app | Application |
bytes_in | Bytes In |
bytes_out | Bytes Out |
category | Category |
change_type | Change Type |
channel | Channel |
command | Command |
cpu_load_percent | CPU Load (%) |
creator | Creator |
creator_realname | Creator Realname |
cve | CVE |
decoration | Decoration |
desc | Description |
dest | Destination |
dest_threatlist_category | Destination Threat List Category |
dest_threatlist_description | Destination Threat List Description |
dest_threatlist_name | Destination Threat List Name |
dest_bunit | Destination Business Unit |
dest_category | Destination Category |
Find notables based on calculated eval fields
You can find notables using the Search bar of the Incident Review page by filtering on specific fields such as src
, dest
that exist in the notable. However, you might not find notables by filtering on search time calculated eval fields such as event_hash
or event_id
.
This is because the Search bar on the Incident Review page supports search for freeform keyword or text, which might not apply to all the information on the Incident Review page. Search time calculated eval fields are not directly searchable.
As a workaround, you can retrieve the notables using the search bar by filtering based on fully qualified SPL syntax.
For example, if you want to search notables with risk objects that contain foobarbaz
, you can use risk_object="foobarbaz"
or risk_object="foobarbaz*"
Manage notable event statuses
An analyst assigns a status to a notable event in the investigation workflow. The status aligns with the stages of an investigation, and can be used to review and report on the progress of a notable event investigation on the Incident Review Audit dashboard.
To see the available statuses for notable events, select Configure > Incident Management > Status Configuration.
Label | Description | Can be edited |
---|---|---|
Unassigned | Used by Enterprise Security when an error prevents the notable event from having a valid status assignment. | No |
New (default) | The notable event has not been reviewed. | No |
In Progress | An investigation or response to the notable event is in progress. | Yes |
Pending | Closure of the notable event is pending some action. | Yes |
Resolved | The notable event has been resolved and awaits verification. | Yes |
Closed | The notable event has been resolved and verified. | Yes |
Every notable event is assigned a status of New by default when it is created by a correlation search. You can customize notable event statuses to match an existing workflow at your organization.
Edit notable event statuses
Change the available statuses for notable events on the Edit Notable Event Status page.
- On the Splunk Enterprise Security toolbar, select Configure > Incident Management > Status Configuration.
- Select a notable event status to open the Edit Notable Event Status page.
- (Optional) Change the Label or Description.
You cannot edit the Unassigned and New statuses because they are defaults used when creating notable events.
Manage notable event status history
Notable events are associated with users, statuses, and comments. Changes made to status names only affect the name of a status, not the status ID assigned to the notable event in the notable index.
If you change the name of a default notable event status, the name changes for both past and future notable events. For example, if you rename "pending" to "waiting for customer", all notable events with a status of "pending" will then have a status of "waiting for customer". The status ID assigned to the notable events remains the same.
Create a status
Create a status for the notable event investigation workflow.
Prerequisites
If you restrict status transitions, determine where the new status is needed in the workflow and whether any roles can bypass the new status in the workflow.
Steps
- On the Splunk Enterprise Security toolbar, select Configure > Incident Management > Status Configuration.
- Select Create New Status > Notable.
- Type a Label that represents the status on the Incident Review dashboard.
For example, Waiting on ITOps. - (Optional) Type a description that appears on the Status Configuration page.
For example, Waiting on the IT operations department. - (Optional) Select the check box for Default Status. Select this check box if you want to replace the New status as the default status for newly-created notable events.
- (Optional) Select the check box for End Status. Select this check box if you are adding an additional Closed status for notable events, such as False Positive.
- (Optional) Deselect the check box for Activate/Turn on. Deselect this check box if you want to create this status without using it.
- Update the status transitions by modifying the To Status fields. If you do not select any roles that can transition from this status to another one, no one will be able to move the notable event to a different status after transitioning the notable event to this status. If you do not restrict status transitions, select all roles for each status.
- Click Save.
If you restrict status transitions based on user roles, modify the status transitions for each status that can transition to this new status.
Notable event status transitions
Statuses represent the steps in investigating a notable event. Status transitions define the path of a notable event investigation.
An analyst changes the status of the notable event as the investigation progresses. To change the status of a notable event:
- The analyst must be a member of a role that has permission to change a status. The ability to change notable event statuses is available to the ess_analyst and ess_admin roles by default.
if you inherit the '''ess_analyst''' and '''ess_admin''' roles, you cannot change the status of notables. Only non-inherited roles for ''ess_analyst''' and '''ess_admin''' can change the status of notables.
- The follow-on status must allow a transition from the current status.
Restrict notable event status transitions
You can define a status workflow and limit which statuses analysts can transition to other statuses, creating a path for a notable event investigation. By default, ES user roles such as ess_analyst
have the ability to change the status of notable events to any of the following five options:
- New
- In progress
- Pending
- Resolved
- Unassigned
Status transitions from '''Unassigned''' to other default statuses is possible. However, status transitions from other default statuses to '''Unassigned''' is not possible.
However, as an ES administrator, you can restrict the ability of certain users to transition between notable statuses so that you have more control over managing the operations of your SOC.
Prerequisite
- You must have the ess_admin role or your role must be assigned the Edit Statuses capability. For more information about user roles and capabilities, see Configure users and roles in the Installation and Upgrade Manual.
- Define a status workflow for notable event investigations. Determine which statuses to require, and whether analysts must follow a specific sequence of statuses before completing the workflow. Determine whether any roles can bypass the full workflow.
Steps
- On the Splunk Enterprise Security toolbar, select Configure > Incident Management > Status Configuration.
- Select a notable event status to open the Edit Status page.
- Scroll to Transitions and select the roles that you want to authorize for transitioning from one status to another status.
- Click Save.
Here are some examples to help you restrict status transitions for analysts.
Example 1: Follow these steps if you want to restrict status transitions so that analysts must follow a path from New, to In Progress or Pending, to Resolved, then to Closed.
- On the Splunk Enterprise Security toolbar, select Configure > Incident Management > Status Configuration.
- Restrict the transitions from the New status. Select the New status to open the Edit Investigation Status page.
- In Status Transitions, select the roles for the Resolved status and deselect the check box for the ess_analyst role.
- Select the roles for the Closed status and deselect the check box for the ess_analyst role.
- Click Save to save the changes to the New status.
- Restrict the transitions on the In Progress and Pending statuses to prevent the ess_analyst role from transitioning to New or to Closed.
- Select the In Progress status.
- In Status Transition, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the Closed status.
- Click Save to save the changes to the In Progress status.
- Repeat steps 8 and 9 for the Pending status.
- Restrict the Resolved status. Click the Investigation tab and select the Resolved status.
- In Status Transition, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the In Progress and Pending statuses.
- Click Save to save the changes to the Resolved status.
- Restrict the transitions for the Closed status. Select the Closed status.
- In Status Transition, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the In Progress, Pending, and Resolved statuses.
- Click Save to save the changes for the Closed status.
Example 2: Folllow these steps to allow the ess_analyst
role to transition from New to In Progress or New to Pending status, but does not allow the ess_analyst
role to transition from New to Resolved or Closed. As an administrator, therefore, you have control over how notables are resolved or closed in your SOC.
- On the Splunk Enterprise Security toolbar, select Configure>Incident Management>Status Configuration.
- Click on an existing notable status in the list for which you want to restrict user roles. For Example: Click New status.
- In the Edit Status dialog, scroll to Transitions.
- Using the status drop down, select the user roles that can transition from the New status to the other statuses that are provided as options.
For example: If you do not want to allow the user roleess_analyst
to transition a notable that has a New status to a Resolved or Closed status, you can remove theess_analyst
role from the Resolved and the Closed field options. - Click Save.
Create and manage notable event suppressions
You can hide notable events from the Incident Review dashboard by creating a notable event suppression.
A suppression is a search filter that hides additional notable events from view, and is used to stop excessive or unwanted numbers of notable events from appearing on the Incident Review dashboard. Notable events that meet the search conditions are still created and added to the notable index. Suppressed notable events continue to contribute to notable event counts on the Security Posture and auditing dashboards.
To prevent notable events that meet certain conditions from being created, see Throttle the number of response actions generated by a correlation search.
You can create a suppression filter in two ways.
- Create a suppression from Incident Review. See Suppress a notable event.
- Create a suppression from the Configure menu. See Create a suppression from Notable Event Suppressions.
Create a suppression from Notable Event Suppressions
- Select Configure > Incident Management > Notable Event Suppressions.
- Click Create New Suppression.
- Enter a Name and Description for the suppression filter.
- Enter a Search to find notable events that you want to be suppressed.
The search goes directly into the eventtype stanza, so the use of pipes is limited. See eventtypes.conf in the Splunk Enterprise Admin Manual.
The macro`get_notable_index`
can be used to create an SPL suppression search filter. However, using the macro might suppress all notables. Therefore, you must use the macro as a starting point to create the SPL search filter and modify it based on your specific requirements to suppress notables. - Set the Expiration Time. This defines a time limit for the suppression filter. The expiration time does not prevent the suppression from working, so events within the specified time range will continue to be suppressed until you turn off the suppression. Notable events that fall outside the expiration time are not suppressed.
Edit notable event suppressions
- Select Configure > Incident Management > Notable Event Suppressions.
- Select a notable event suppression to open the Edit Notable Event Suppression page.
- Edit the Description and Search fields used for the suppression filter.
- Click Save.
Turn off notable event suppressions
- Select Configure > Incident Management > Notable Event Suppressions.
- Select Deactivate / Turn off in the Status column for the notable event suppression.
Remove a notable event suppression
- From the Splunk platform toolbar, select Settings > Event types.
- Search for the the suppression event:
notable_suppression-<suppression_name>
. - Select delete in the Actions column for the notable event suppression.
Audit notable event suppressions
Audit notable event suppressions with the Suppression Audit dashboard. See Suppression Audit in Use Splunk Enterprise Security.
Manually create a notable event in Splunk Enterprise Security | Expand tokens in notable events using the expandtoken command |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2
Feedback submitted, thanks!