Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manually create a notable event in Splunk Enterprise Security

You can manually create a notable event from an indexed event, or create one from scratch.

Note: By default, only administrators with the edit_reviewstatuses capability can manually create notable events. To grant other users this capability, see Configure users and roles in the Installation and Upgrade Manual.

Create a notable event from an existing event

You can create a notable event from any indexed event using the Event Actions menu. Do not create a notable event from notable events on the Incident Review dashboard.

  1. From an event, view the event details and click Event Actions.
  2. Select Create notable event.
  3. Enter a Title for the event.
  4. (Optional) Select a security Domain.
  5. (Optional) Select an Urgency level.
  6. (Optional) Select an Owner.
  7. (Optional) Select a Status.
  8. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
  9. Save the new notable event. The Incident Review dashboard displays with your new notable event.

Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.

Create a notable event from scratch

Create a notable event based on observations, a finding from a security system outside Splunk, or something else.

  1. Select Configure > Incident Management > New Notable Event.
  2. Enter a Title for the event.
  3. (Optional) Select a security Domain.
  4. (Optional) Select an Urgency level.
  5. (Optional) Select an Owner.
  6. (Optional) Select a Status.
  7. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
  8. Save the new notable event. The Incident Review dashboard displays with your new notable event.

Use the owner field in a Splunk event to create a notable event with said owner

Normally in a correlation search, the owner field automatically maps to orig_owner. If you have some Splunk events, doesn't matter where they came from, and you want the owner field of the Splunk event to be the owner of the notable event, it is crucial that the value of the owner field is a Splunk username. To use the owner field in a Splunk event to create a notable event with said owner, remove the owner field from the list of notable mapfields.

Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf: 

## savedsearches.conf
[Threat – My Correlation – Rule]
…
action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions
…

For example, if you have a CSV lookup that contains the "owner" field for assigning the new owners, then you can dynamically update the owner of an event in incident review by updating the lookup using a search similar to this one:

| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner

Pinpoint the original event via drill-down

If you are creating a notable event from a raw event, you can pinpoint the specific raw event that contributed to the notable event.

When certain fields exist such as orig_event_hash, a secondary drill-down link is automatically constructed for you called "View original event." If the correct fields are passed with the notable event you can construct a very performant search for getting back to the original event.

The following fields come into play:

  • orig_time (optional)
  • orig_index (optional)
  • orig_indexer_guid (optional)
  • orig_event_hash (required)

The orig_time and orig_index are automatically created if you pass _time and index respectively. This is because _time and index are included in the default set of mapfields. For indexer_guid and event_hash you will either need to manually rename to orig_<field> or add them to mapfields as appropriate.

Your correlation rule will look similar to the following in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/savedsearches.conf: 

## savedsearches.conf
[Threat – My Correlation – Rule]
…
action.notable.param.mapfields = rule_id,rule_name,rule_title,rule_description,security_domain,nes_fields,drilldown_name,drilldown_search,governance,control,status,owner,default_owner,drilldown_earliest_offset,drilldown_latest_offset,next_steps,investigation_profiles,extract_artifacts,recommended_actions,indexer_guid,event_hash
…
Last modified on 05 March, 2019
PREVIOUS
Customize Incident Review in Splunk Enterprise Security 		  NEXT
Customize notable event settings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters