Configure notable events
A notable event is an alert type that creates an event when a correlation search condition is met. When a notable event is created, it is indexed on disk, like other events indexed by Splunk Enterprise. The notable event object is tracked, managed, and updated using the Incident Review dashboard in the Enterprise Security app. The Enterprise Security app tracks all incident review activity for auditing on the Incident Review Audit dashboard.
Configurations related to notable events are found under Configure > Incident Management in the Enterprise Security app.
- Review the default Notable Event Statuses and add, remove or change a status as desired.
- Understand the difference between a notable event throttle and a suppression.
- Configure the Incident Review settings as desired.
Notable Event Statuses
The notable event statuses are defined to assist in moving a notable event through a workflow for identification and review. The default statuses can be edited, new status can be added, and the status transitions changed. Before editing or adding any status, it is important to define the workflow to be used.
| Label | Description |
|---|---|
| Unassigned | The event has not been assigned |
| New (default) | Event has not been reviewed |
| In Progress | Investigation or response is in-process |
| Pending | Event closure is pending some action |
| Resolved | The issue has been resolved and awaits verification |
| Closed | Issue has been resolved and verified |
Edit Notable Event Status
Selecting a Notable Event Status will open the Edit Notable Event Status panel. The page displays the label, the description, the status, and the status transition workflow for a notable event.
User authorization
Authorization for each status transition can be assigned to specific user roles. For example, a member of the admin role can mark an event Closed, while a member of the esanalyst role can assign an event and change its status from New to In Progress.
See "Configure user and roles" for more information about user roles and Enterprise Security app capabilities.
Notable Event Suppressions
A notable event suppression is a search filter that hides any notable events matching the search conditions. The suppression filter is created to stop an excessive or unwanted number of notable events from being displayed on the Incident Review dashboard.
The Notable Event Suppressions page displays all suppressions that have been created, and the current status of the suppression filter. To edit notable event suppressions, browse to Configure > Incident Management > Notable Event Suppressions. See Create a suppression from Notable Event Suppressions in the User manual.
Configure Incident Review Settings
Log review settings are associated with editing the status of notable events. Go to Configure > Incident Management > Incident Review Settings to configure whether analysts can override the calculated urgency, and if a comment is required when a status change is made.
- Allow Overriding of Urgency: Allows analysts to override and replace the calculated urgency of a notable event. It is enabled by default.
- Comment Required: If selected, an analyst cannot edit events in the Incident Review page unless a comment is provided.
- Minimum Length Required: The length of the required comment can be specified. It defaults to a 20 character minimum.
| Configure correlation searches | Configure risk scoring |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Download manual
Feedback submitted, thanks!