Customize Incident Review in Splunk Enterprise Security
As a Splunk Enterprise Security administrator, you can customize the way that analysts view and interact with notable events on the Incident Review dashboard.
Modify analyst capabilities and permissions
Configure whether analysts can override the calculated urgency of a notable event and choose whether to require an analyst to add a comment when updating a notable event on the Incident Review Settings page.
- Select Configure > Incident Management > Incident Review Settings to view the Incident Review settings.
- Allow or prevent analysts from overriding the calculated urgency of a notable event with the Allow Overriding of Urgency checkbox. Analysts are allowed to override urgency by default.
- Require analysts to add a comment when updating a notable event by checking the Required checkbox under Comments.
- If you require analysts to add a comment, enter the minimum character length for required comments. The default character length is 20 characters.
Configure the recommended capacity for analysts
Configure the recommended maximum number of notable events that should be assigned per security analyst on the General Settings page.
- Select Configure > General > General Settings to view the General Settings.
- Enter a preferred number of notable events that should be assigned to an analyst with the Incident Review Analyst Capacity setting. The default is 12.
This value is used for audit purposes, and does not prevent more than the default number of notable events from being assigned to an analyst.
Change Incident Review columns
You can change the columns displayed on the Incident Review dashboard.
- Review the existing columns in Incident Review - Table Attributes.
- Use the action column to edit, remove, or change the order of the available columns.
- Add custom columns by selecting Insert below or selecting More..., then Insert above.
Troubleshoot an issue where analysts cannot edit notable events successfully on Incident Review
If analysts cannot edit notable events successfully on Incident Review, several issues could be the cause.
- The analyst might not have permission to make status transitions. See Manage notable event statuses.
- The analyst might be attempting to edit a notable event that is visible, but cannot be edited successfully due to the limited number of events that can be retrieved from a bucket.
If a correlation search creates a high number of notable events in a short period of time, such as 1000 in less than five minutes, the Incident Review dashboard can hit the max_events_per_bucket
limit when attempting to retrieve notable events for display from the notable
index.
If analysts are unable to edit a notable event for this reason, the analyst can use a smaller time range when reviewing notable events on Incident Review. For example, a time range that reduces the number of events on the Incident Review dashboard to less than 1000. 1000 is the default value of max_events_per_bucket
, so search that produces less than 1000 events cannot produce this error.
To prevent this from happening at any time, you can modify the maximum number of events that can be returned from a bucket. However, modifying this setting can negatively affect the performance of your Splunk software deployment.
If you are running Splunk Enterprise Security on Splunk Cloud Platform, file a support ticket for assistance with this setting.
- Open
limits.conf
for editing. See How to edit a configuration file in the Splunk Enterprise Admin Manual. - Set
max_events_per_bucket
to a number above 1000. - Save.
See limits.conf for more about the max_events_per_bucket
setting.
To help ES analysts with their workflows, you can add a link in the app navigation that loads a version of Incident Review with filters applied. See Add a link to a filtered view of Incident Review.
Managing Incident Review in Splunk Enterprise Security | Manually create a notable event in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!