Manually create a notable event in Splunk Enterprise Security
You can manually create a notable event from an indexed event, or create one from scratch.
Note: By default, only administrators with the edit_reviewstatuses capability can manually create notable events. To grant other users this capability, see Configure users and roles in the Installation and Upgrade Manual.
Create a notable event from an existing event
You can create a notable event from any indexed event using the Event Actions menu. Do not create a notable event from notable events on the Incident Review dashboard.
- From an event, view the event details and click Event Actions.
- Select Create notable event.
- Enter a Title for the event.
- (Optional) Select a security Domain.
- (Optional) Select an Urgency level.
- (Optional) Select an Owner.
- (Optional) Select a Status.
- Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
- Save the new notable event. The Incident Review dashboard displays with your new notable event.
Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.
Create a notable event from scratch
Create a notable event based on observations, a finding from a security system outside Splunk, or something else.
- Select Configure > Incident Management > New Notable Event.
- Enter a Title for the event.
- (Optional) Select a security Domain.
- (Optional) Select an Urgency level.
- (Optional) Select an Owner.
- (Optional) Select a Status.
- Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
- Save the new notable event. The Incident Review dashboard displays with your new notable event.
Add custom properties to a notable event
Add custom properties to a notable event using the eval
command in an SPL search. , Adding specific properties to the notable using the eval
command maps these properties to the output of the notable. For example: Use the following search to set a custom security_domain
, urgency
level, severity
level, risk_object
, risk_object_type
, and risk_score
to the notable called "Doc Test Notable".
| stats count | eval rule_title="Docs Test Notable", security_domain="audit", urgency="critical", severity="high", risk_object="compromised-laptop", risk_object_type="system", risk_score=45 | sendalert notable param.mapfields=rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions
The param.mapfields
does not map the rule_title
to the orig_rule_title
. Instead, you can use the search parameter eval rule_title="Docs Test Notable"
to invoke the rule title.
Ensure that the property that you add to the notable is customizable. Otherwise, the Incident Review page may have trouble loading.
Add a custom title to a notable event
Add a custom title to a notable event using a search to avoid using a generic title like: "Manual Notable Event- Rule". For example: Use the following search to set a custom title to the notable.
| stats count | eval rule_title="Custom title" | sendalert notable param.mapfields=rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions
Therefore, the param.mapfields
does not map the rule_title
to the orig_rule_title
.
Instead, you can use the search parameter eval rule_title="Custom title"
to invoke the rule title.
Use the owner field in a Splunk event to create a notable event with said owner
Normally in a correlation search, the owner
field automatically maps to orig_owner
. If you have some Splunk events, doesn't matter where they came from, and you want the owner field of the Splunk event to be the owner of the notable event, it is crucial that the value of the owner
field is a Splunk username. To use the owner field in a Splunk event to create a notable event with said owner, remove the owner
field from the list of notable mapfields
.
Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf
:
## savedsearches.conf [Threat – My Correlation – Rule] … action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions …
For example, if you have a CSV lookup that contains the "owner" field for assigning the new owners, then you can dynamically update the owner of an event in incident review by updating the lookup using a search similar to this one:
| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=_key
Pinpoint the original event via drill-down
If you are creating a notable event from a raw event, you can pinpoint the specific raw event that contributed to the notable event.
When certain fields exist such as orig_event_hash
, a secondary drill-down link is automatically constructed for you called "View original event." If the correct fields are passed with the notable event you can construct a very performant search for getting back to the original event.
The following fields come into play:
orig_time
(optional)orig_index
(optional)orig_indexer_guid
(optional)orig_event_hash
(required)
The orig_time
and orig_index
are automatically created if you pass _time
and index
respectively. This is because _time
and index
are included in the default set of mapfields
. For indexer_guid
and event_hash
you will either need to manually rename to orig_<field>
or add them to mapfields
as appropriate.
Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf
:
## savedsearches.conf [Threat – My Correlation – Rule] … action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,owner,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions,indexer_guid,event_hash …
Customize Incident Review in Splunk Enterprise Security | Customize notable event settings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!