Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manually create a notable event in Splunk Enterprise Security

You can manually create a notable event from an indexed event, or create one from scratch.

Note: By default, only administrators with the edit_reviewstatuses capability can manually create notable events. To grant other users this capability, see Configure users and roles in the Installation and Upgrade Manual.

Create a notable event from an existing event

You can create a notable event from any indexed event using the Event Actions menu. Do not create a notable event from notable events on the Incident Review dashboard.

  1. From an event, view the event details and click Event Actions.
  2. Select Create notable event.
  3. Enter a Title for the event.
  4. (Optional) Select a security Domain.
  5. (Optional) Select an Urgency level.
  6. (Optional) Select an Owner.
  7. (Optional) Select a Status.
  8. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
  9. Save the new notable event. The Incident Review dashboard displays with your new notable event.

Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.

Create a notable event from scratch

Create a notable event based on observations, a finding from a security system outside Splunk, or something else.

  1. Select Configure > Incident Management > New Notable Event.
  2. Enter a Title for the event.
  3. (Optional) Select a security Domain.
  4. (Optional) Select an Urgency level.
  5. (Optional) Select an Owner.
  6. (Optional) Select a Status.
  7. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
  8. Save the new notable event. The Incident Review dashboard displays with your new notable event.

Add custom properties to a notable event

Add custom properties to a notable event using the eval command in an SPL search. , Adding specific properties to the notable using the eval command maps these properties to the output of the notable. For example: Use the following search to set a custom security_domain, urgency level, severity level, risk_object, risk_object_type, and risk_score to the notable called "Doc Test Notable".

| stats count | eval rule_title="Docs Test Notable", security_domain="audit", urgency="critical", severity="high", risk_object="compromised-laptop", risk_object_type="system", risk_score=45 | sendalert notable param.mapfields=rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions

The param.mapfields does not map the rule_title to the orig_rule_title. Instead, you can use the search parameter eval rule_title="Docs Test Notable" to invoke the rule title.


Ensure that the property that you add to the notable is customizable. Otherwise, the Incident Review page may have trouble loading.

Add a custom title to a notable event

Add a custom title to a notable event using a search to avoid using a generic title like: "Manual Notable Event- Rule". For example: Use the following search to set a custom title to the notable.

| stats count | eval rule_title="Custom title" | sendalert notable param.mapfields=rule_id,rule_name,nes_fields,drilldown_name,drilldown_search,governance,control,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions

Therefore, the param.mapfields does not map the rule_title to the orig_rule_title. Instead, you can use the search parameter eval rule_title="Custom title" to invoke the rule title.

Use the owner field in a Splunk event to create a notable event with said owner

Normally in a correlation search, the owner field automatically maps to orig_owner. If you have some Splunk events, doesn't matter where they came from, and you want the owner field of the Splunk event to be the owner of the notable event, it is crucial that the value of the owner field is a Splunk username. To use the owner field in a Splunk event to create a notable event with said owner, remove the owner field from the list of notable mapfields.

Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf: 

## savedsearches.conf
[Threat – My Correlation – Rule]
…
action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions
…

For example, if you have a CSV lookup that contains the "owner" field for assigning the new owners, then you can dynamically update the owner of an event in incident review by updating the lookup using a search similar to this one:

| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner

Pinpoint the original event via drill-down

If you are creating a notable event from a raw event, you can pinpoint the specific raw event that contributed to the notable event.

When certain fields exist such as orig_event_hash, a secondary drill-down link is automatically constructed for you called "View original event." If the correct fields are passed with the notable event you can construct a very performant search for getting back to the original event.

The following fields come into play:

  • orig_time (optional)
  • orig_index (optional)
  • orig_indexer_guid (optional)
  • orig_event_hash (required)

The orig_time and orig_index are automatically created if you pass _time and index respectively. This is because _time and index are included in the default set of mapfields. For indexer_guid and event_hash you will either need to manually rename to orig_<field> or add them to mapfields as appropriate.

Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf: 

## savedsearches.conf
[Threat – My Correlation – Rule]
…
action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,owner,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions,indexer_guid,event_hash
…
Last modified on 11 August, 2021
PREVIOUS
Customize Incident Review in Splunk Enterprise Security 		  NEXT
Customize notable event settings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters