Splunk® Enterprise Security

REST API Reference

Notable Event API reference

Access the Notable Event framework in Splunk Enterprise Security.

The Notable Event framework provides a way to identify noteworthy incidents from events and then manage the ownership, triage process, and state of those incidents. For more information about working with the framework, see Notable Event framework in Splunk ES on the Splunk developer portal.

There is no GET method for notable events, known as findings in version 8.0.0, in Splunk Enterprise Security. Instead, you can use Splunk search and macros to access the findings programmatically. See Using notable events in search on the Splunk developer portal.

Usage details

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations. You must have the edit_notable_events capability along with the ess_analyst role to use the notable event endpoint. For more information on configuring user roles and capabilities for Splunk Enterprise Security, see Configure users and roles.

Alternatively, you can use token authentication. See Set up authentication with tokens in the Splunk Enterprise Securing the Splunk Platform manual.

Username and password authentication is used in the examples that follow.

Splunk Cloud Platform URL for REST API access

Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Splunk Cloud Platform deployments
Use the following URL for single-instance deployments.

https://<deployment-name>.splunkcloud.com:8089

Use the following URL for clustered deployments. If necessary, submit a support case to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.

https://input-<deployment-name>.splunkcloud.com:8089

See Using the REST API in Splunk Cloud Platform in the the Splunk REST API Tutorials for more information.

/services/notable_update

Edit all findings that match one or more ruleUIDs, or edit all findings that match a search.

Syntax

https://<host>:<mPort>/services/notable_update

POST

Update the status, urgency, owner, or comment of one or more findings.

Request parameters
An argument string must include at least one of the following arguments: comment, status, urgency, newOwner. It also must include either a searchID or one or more ruleUIDs.

Field Description
comment A description of the change or some information about the findings.
status A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event.
urgency An urgency. Only required if you are changing the urgency of the event.
newOwner An owner. Only required if reassigning the event.
ruleUIDs A list of finding IDs. Must be provided if a searchID is not provided. Include multiples of this attribute to edit multiple events. For example, ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&ruleUIDs
=F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b
.
searchID An ID of a search. All of the events associated with this search will be modified unless a list of ruleUIDs are provided that limit the scope to a subset of the results.
disposition An ID for a disposition that matches a disposition in the reviewstatuses.conf configuration file. Required only if you are changing the disposition of the event.

Response

A success or failure message.


Example request

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"
import splunk.rest as rest
import splunk.auth as auth

session_key = auth.getSessionKey('admin', 'changeme')

uri = '/services/notable_update'
rule_id = '0F70A754-5482-42A5-A22A-A615D7A155FF@@notable@@81efe8f52d16a337520045e4e5a87308'
owner = 'admin'
status = 2
comment = 'this is a test comment'
disposition = 'disposition:2'

postargs = {'ruleUIDs': rule_id, 'newOwner': owner, 'comment': comment,
                    'status': status, 'disposition': disposition}
r, c = rest.simpleRequest(uri, sessionKey=session_key, postargs=postargs)

Example response

{"message":"1 event updated successfully","failure_count":0,"success":true,"details":{},"success_count":1}


Last modified on 16 September, 2024
Threat Intelligence API reference   Analytic Story API reference

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters