
Manually create a notable event in Splunk Enterprise Security
You can manually create a notable event from an indexed event, or create one from scratch.
Note: By default, only administrators with the edit_reviewstatuses capability can manually create notable events. To grant other users this capability, see Configure users and roles in the Installation and Upgrade Manual.
Create a notable event from an existing event
You can create a notable event from any indexed event using the Event Actions menu. Do not create a notable event from notable events on the Incident Review dashboard.
- From an event, view the event details and click Event Actions.
- Select Create notable event.
- Enter a Title for the event.
- (Optional) Select a security Domain.
- (Optional) Select an Urgency level.
- (Optional) Select an Owner.
- (Optional) Select a Status.
- Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
- Save the new notable event. The Incident Review dashboard displays with your new notable event.
Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.
Create a notable event from scratch
Create a notable event based on observations, a finding from a security system outside Splunk, or something else.
- Select Configure > Incident Management > New Notable Event.
- Enter a Title for the event.
- (Optional) Select a security Domain.
- (Optional) Select an Urgency level.
- (Optional) Select an Owner.
- (Optional) Select a Status.
- Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
- Save the new notable event. The Incident Review dashboard displays with your new notable event.
Use the owner field in a Splunk event to create a notable event with said owner
Normally in a correlation search, the owner
field automatically maps to orig_owner
. If you have some Splunk events, doesn't matter where they came from, and you want the owner field of the Splunk event to be the owner of the notable event, it is crucial that the value of the owner
field is a Splunk username. To use the owner field in a Splunk event to create a notable event with said owner, remove the owner
field from the list of notable mapfields
.
Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf
:
## savedsearches.conf [Threat – My Correlation – Rule] … action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions …
For example, if you have a CSV lookup that contains the "owner" field for assigning the new owners, then you can dynamically update the owner of an event in incident review by updating the lookup using a search similar to this one:
| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner
Pinpoint the original event via drill-down
If you are creating a notable event from a raw event, you can pinpoint the specific raw event that contributed to the notable event.
When certain fields exist such as orig_event_hash
, a secondary drill-down link is automatically constructed for you called "View original event." If the correct fields are passed with the notable event you can construct a very performant search for getting back to the original event.
The following fields come into play:
orig_time
(optional)orig_index
(optional)orig_indexer_guid
(optional)orig_event_hash
(required)
The orig_time
and orig_index
are automatically created if you pass _time
and index
respectively. This is because _time
and index
are included in the default set of mapfields
. For indexer_guid
and event_hash
you will either need to manually rename to orig_<field>
or add them to mapfields
as appropriate.
Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf
:
## savedsearches.conf [Threat – My Correlation – Rule] … action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,owner,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions,indexer_guid,event_hash …
PREVIOUS Customize Incident Review in Splunk Enterprise Security |
NEXT Customize notable event settings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only
Feedback submitted, thanks!