Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configure notable events

A notable event is an alert type that creates an event when a correlation search condition is met. When a notable event is created, it is indexed on disk, like other events indexed by Splunk Enterprise. The notable event object is tracked, managed, and updated using the Incident Review dashboard in the Enterprise Security app. The Enterprise Security app tracks all incident review activity for auditing on the Incident Review Audit dashboard.

Configurations related to notable events are found under Configure > Incident Management in the Enterprise Security app.

  1. Review the default Notable Event Statuses and add, remove or change a status as desired.
  2. Understand the difference between a notable event throttle and a suppression.
  3. Configure the Incident Review settings as desired.

Notable Event Statuses

The notable event statuses are defined to assist in moving a notable event through a workflow for identification and review. The default statuses can be edited, new status can be added, and the status transitions changed. Before editing or adding any status, it is important to define the workflow to be used.

Notable Event Statuses in the Enterprise Security app
Label Description
Unassigned The event has not been assigned
New (default) Event has not been reviewed
In Progress Investigation or response is in-process
Pending Event closure is pending some action
Resolved The issue has been resolved and awaits verification
Closed Issue has been resolved and verified

Edit Notable Event Status

Selecting a Notable Event Status will open the Edit Notable Event Status panel. The page displays the label, the description, the status, and the status transition workflow for a notable event.

User authorization

Authorization for each status transition can be assigned to specific user roles. For example, a member of the admin role can mark an event Closed, while a member of the esanalyst role can assign an event and change its status from New to In Progress.

See "Configure user and roles" for more information about user roles and Enterprise Security app capabilities.

Notable Event Suppressions

A notable event suppression is a search filter that hides any notable events matching the search conditions. The suppression filter is created to stop an excessive or unwanted number of notable events from being displayed on the Incident Review dashboard.

The Notable Event Suppressions page displays all suppressions that have been created, and the current status of the suppression filter. To edit notable event suppressions, browse to Configure > Incident Management > Notable Event Suppressions. See Create a suppression from Notable Event Suppressions in the User manual.

Configure Incident Review Settings

Log review settings are associated with editing the status of notable events. Go to Configure > Incident Management > Incident Review Settings to configure whether analysts can override the calculated urgency, and if a comment is required when a status change is made.

  • Allow Overriding of Urgency: Allows analysts to override and replace the calculated urgency of a notable event. It is enabled by default.
  • Comment Required: If selected, an analyst cannot edit events in the Incident Review page unless a comment is provided.
    • Minimum Length Required: The length of the required comment can be specified. It defaults to a 20 character minimum.
PREVIOUS
Configure correlation searches
  NEXT
Configure risk scoring

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters