Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Create a workbench panel workflow action in Splunk Enterprise Security

Use an embedded workbench as workflow field action to get more context about specific values in Incident Review. The embedded workbench provides a simplified drill-down experience, reduces the number of open tabs, and makes it easier to determine notable event trends. Pre-built panels can be embedded in dashboards and investigations, as well as directly within Incident Review.

Do the following to create a workbench panel workflow action and use an embedded workbench:

  1. Create a new panel or edit a prebuilt panel
  2. (Optional) Create a workbench panel from a prebuilt panel
  3. Create a workflow action
  4. Click on the field workflow action in Incident Review
  5. View the embedded workbench

Create a new prebuilt panel or edit a prebuilt panel

Create a new prebuilt panel, or edit of the existing prebuilt panels that ship with Enterprise Security.

Create a prebuilt panel

If you are interested in investigating data that is not already included in a prebuilt panel, you can create your own panel. See Create panels and tabs for the investigation workbench.

Edit an existing prebuilt panel

Editing an existing workbench panel allows you to add tokens to the panel, or view tokens that are already defined. This example starts with editing the existing prebuilt panel of workbench_context_computer_inventory for use in creating the workflow action in the next step.

From the Enterprise Security menu bar, modify the workbench_context_computer_inventory panel by performing the following steps:

  1. Select Configure > Content > Content Management.
  2. From the Type filter, select Panel.
  3. Click the name of the panel, workbench_context_computer_inventory.
  4. Edit something, such as a token.

The search that is tied to this workbench panel is defined as follows:

<panel>
  <table>
    <search>
      <query>| tstats latest(_time) as _time, latest("All_Inventory.OS.os") as os, latest("All_Inventory.vendor_product") as vendor_product from datamodel="Compute_Inventory"."All_Inventory" where nodename="All_Inventory.OS" ($inventory_asset_dest_filter$ OR $inventory_identity_user_filter$) by "All_Inventory.dest" | head 10000 | `drop_dm_object_name("All_Inventory")` | fields _time, dest, os, vendor_product</query>
    </search>
    <option name="drilldown">cell</option>
    <option name="wrap">false</option>
  </table>
</panel>

You can stack multiple tables or other visualizations inside of the <panel> tags. See panel in the Splunk Enterprise Dashboards and Visualizations.

Create a workbench panel from a prebuilt panel

This step is only required if you create a prebuilt panel in the first step. If you edit an existing prebuilt panel in the first step, then you skip this step.

See Create or modify a panel for the investigation workbench.

Create a workflow action

Create a workflow action that references the workbench panel. This example starts after editing the existing prebuilt panel of workbench_context_computer_inventory as the first step. However, if you create a new prebuilt panel and a new workbench panel, then you can create a workflow action for your workbench panel.

From the Splunk Enterprise menu bar, perform the following steps:

  1. Go to Settings > Fields > Workflow Actions.
  2. Click New Workflow Action.
  3. Type the following in the corresponding fields:
    1. Name: Use a general name that is saved in workflow_actions.conf, for example, workbench_computer_inventory.
    2. Label: Use a token in the format of $tokenname$, such as the "dest" field in the notable event. Also append the string "inventory" after the token. For example, $dest$ Inventory.
    3. Apply only to the following fields: Use an asterisk to apply this to all the fields, for example *.
    4. Show action in: For displaying in Incident Review, use Fields menus.
    5. URI: Use the name of the prebuilt-panel that you created or edited, for example, panel=workbench_context_computer_inventory:
      /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_context_computer_inventory&drilldown_field=$@field_name$&use_drilldown_time=true
  4. Click Save.

The URI is composed of a few special tokens and query parameters: /app/$@namespace$/ess_workbench_panel?type_asset=$@field_value$&panel=workbench_context_computer_inventory&drilldown_field=$@field_name$&use_drilldown_time=true

Tokens:

Token Meaning
$@namespace$ This is the namespace of the app (such as SplunkEnterpriseSecuritySuite)
$@field_value$ This is the value of the field you selected from the workflow action, and is the value set to either type_asset, type_file, type_identity, type_url
$@field_name$ This is the name of the field you selected from the workflow action, and is the value set to drilldown_field for proper telemetry reporting. Has no impact on functionality otherwise.

Parameters:

URL query parameter Optional Meaning
type_asset, type_file, type_identity, type_url Optional, but most panels won't work Query parameter to pass artifacts; it can also be used/defined multiple times in order to hand over multiple artifacts.
Example:
?type_asset=127.0.0.1&type_asset=localhost&type_identity=admin
panel required Set this to the name of the workbench panel you created. See Create a workflow action.
use_drilldown_time Optional This defines if on Incident Review the time range defined by the notable event drilldown should be used. Otherwise earliest and latest will be used.
drilldown_field Optional This is being used for telemetry and indicates on which event field the workflow action is being invoked.
earliest Optional Timerange to be used for the panel, unless use_drilldown_time is set to true and the workflow action is being called on Incident Review, won't affect the search page.
latest Optional Timerange to be used for the panel, unless use_drilldown_time is set to true and the workflow action is being called on Incident Review, won't affect the search page.

For further details about tokens, see Token usage in dashboards in Splunk Enterprise Dashboards and Visualizations.

Click on the workflow field action in Incident Review

From the Enterprise Security menu bar, perform the following steps:

  1. Go to Incident Review.
  2. From a notable event that contains a Destination (dest) value:
    1. Click the info drop-down menu to view the event details.
    2. Click the new workflow in the destination field actions menu, complete with token substitution, such as 42.129.171.63 Inventory.
      This screenshot shows the workflow in the field actions menu.

View the embedded workbench

The embedded workbench pops up with the token passed into it for the artifact. This is the dest field value that you specified when creating the workflow action.

From here, you can drill-down into the data and investigate, without going back to the Enterprise Security menu bar and navigating to Incident Review.

See Investigations in Splunk Enterprise Security in Use Splunk Enterprise Security.

Last modified on 13 May, 2020
PREVIOUS
Manage and customize investigation statuses in Splunk Enterprise Security
  NEXT
Correlation search overview for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters