Splunk® Enterprise Security

REST API Reference

Download manual as PDF

Download topic as PDF

Notable Event API reference

Access the Notable Event framework in Splunk Enterprise Security.

The Notable Event framework provides a way to identify noteworthy incidents from events and then manage the ownership, triage process, and state of those incidents. For more information about working with the framework, see Notable Event framework in Splunk ES on the Splunk developer portal.

There is no GET method for notable events in Splunk Enterprise Security. Instead, you can use Splunk search and macros to access the notables programmatically. See Using notable events in search on the Splunk developer portal.

Usage details

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations. You must have the edit_notable_events capability to use the notable event endpoint.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Managed Splunk Cloud deployments
Use the following URL for single-instance managed deployments.

https://<deployment-name>.cloud.splunk.com:8089

Use the following URL for clustered deployments. If necessary, submit a support case to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.

https://input-<deployment-name>.cloud.splunk.com:8089

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.

/services/notable_update

Edit all notable events that match one or more ruleUIDs, or edit all notable events that match a search.

Syntax

https://<host>:<mPort>/services/notable_update

POST

Update the status, urgency, owner, or comment of one or more notable events.

Request parameters
An argument string must include at least one of the following arguments: comment, status, urgency, newOwner. It also must include either a searchID or one or more ruleUIDs.

Field Description
comment A description of the change or some information about the notable events.
status A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event.
urgency An urgency. Only required if you are changing the urgency of the event.
newOwner An owner. Only required if reassigning the event.
ruleUIDs A list of notable event IDs. Must be provided if a searchID is not provided. Include multiples of this attribute to edit multiple events. For example, ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&ruleUIDs
=F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b
.
searchID An ID of a search. All of the events associated with this search will be modified unless a list of ruleUIDs are provided that limit the scope to a subset of the results.

Response

A success or failure message.


Example request

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

Example response

{"message":"1 event updated successfully","failure_count":0,"success":true,"details":{},"success_count":1}


PREVIOUS
Threat Intelligence API reference
 

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters