Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Customize Incident Review in Splunk Enterprise Security

As a Splunk Enterprise Security administrator, you can customize the way that analysts view and interact with notable events on the Incident Review dashboard.

Modify analyst capabilities and permissions

Configure whether analysts can override the calculated urgency of a notable event and choose whether to require an analyst to add a comment when updating a notable event on the Incident Review Settings page.

  1. Select Configure > Incident Management > Incident Review Settings to view the Incident Review settings.
  2. Allow or prevent analysts from overriding the calculated urgency of a notable event with the Allow Overriding of Urgency checkbox. Analysts are allowed to override urgency by default.
  3. Require analysts to add a comment when updating a notable event by checking the Required checkbox under Comments.
  4. If you require analysts to add a comment, enter the minimum character length for required comments. The default character length is 20 characters.

Configure the recommended capacity for analysts

Configure the recommended maximum number of notable events that should be assigned per security analyst on the General Settings page.

  1. Select Configure > General > General Settings to view the General Settings.
  2. Enter a preferred number of notable events that should be assigned to an analyst with the Incident Review Analyst Capacity setting. The default is 12.

This value is used for audit purposes, and does not prevent more than the default number of notable events from being assigned to an analyst.

Change Incident Review columns

You can change the columns displayed on the Incident Review dashboard.

  1. Review the existing columns in Incident Review - Table Attributes.
  2. Use the action column to edit, remove, or change the order of the available columns.
  3. Add custom columns by selecting Insert below or selecting More..., then Insert above.

You might not be able to add or modify incident review settings if you do not have both the required capabilities such as edit_log_review_settings and edit_reviewstatuses.

Troubleshoot an issue where analysts cannot edit notable events successfully on Incident Review

If analysts cannot edit notable events successfully on Incident Review, several issues could be the cause.

  • The analyst might not have permission to make status transitions. See Manage notable event statuses.
  • The analyst might be attempting to edit a notable event that is visible, but cannot be edited successfully due to the limited number of events that can be retrieved from a bucket.

If a correlation search creates a high number of notable events in a short period of time, such as 1000 in less than five minutes, the Incident Review dashboard can hit the max_events_per_bucket limit when attempting to retrieve notable events for display from the notable index.

If analysts are unable to edit a notable event for this reason, the analyst can use a smaller time range when reviewing notable events on Incident Review. For example, a time range that reduces the number of events on the Incident Review dashboard to less than 1000. 1000 is the default value of max_events_per_bucket, so search that produces less than 1000 events cannot produce this error.

To prevent this from happening at any time, you can modify the maximum number of events that can be returned from a bucket. However, modifying this setting can negatively affect the performance of your Splunk software deployment.

If you are running Splunk Enterprise Security on Splunk Cloud Platform, file a support ticket for assistance with this setting.

  1. Open limits.conf for editing. See How to edit a configuration file in the Splunk Enterprise Admin Manual.
  2. Set max_events_per_bucket to a number above 1000.
  3. Save.

See limits.conf for more about the max_events_per_bucket setting.

Add a navigation link to a filtered view of Incident Review

To help ES analysts with their workflows, you can add a link in the app navigation that loads a version of Incident Review with filters applied. See Add a link to a filtered view of Incident Review.

Last modified on 26 January, 2022
Managing Incident Review in Splunk Enterprise Security   Manually create a notable event in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters