Modify the fields for findings in Splunk Enterprise Security
Modify the fields for findings so that you can customize the display of these fields on the Mission Control page in Splunk Enterprise Security. For example, change the label of a field, remove a field, or add a field to the Additional Fields section of the finding details. Changes that you make to the fields impact all findings.
Follow these steps to modify the fields for findings in Splunk Enterprise Security:
- In Splunk Enterprise Security, select Configure.
- Select Findings and investigations and then select Field values for findings.
- Select Edit to change a field or the label for a specific field to modify how it is displayed on the Mission Control page.
- Select Remove to remove a field from the finding details on the Mission Control page.
- Select Save.
Add a field to the finding details
A field appears in the Additional fields of the finding details on the Mission Control page, if the field exists in the detection search results. To add a field to the finding details, ensure that the detection results include the field and then ensure that the Mission Control page displays the field.
Follow these steps to add a field to the finding details and the Mission Control page:
Determine if the field you want to see is included in the detection search results by running the detection on the Search page to review the output or the search syntax.
- If the field exists in the search results, add the field to the list of additional fields.
- If the field does not exist in the search results, modify the detection search processing language (SPL) query to include the field.
Modify the detection SPL to include the field
Follow these steps to modify the detection SPL to include the field:
- Edit the search.
- If you created the search manually, modify the detection SPL to extract the fields. Make sure that you do not modify the correlation criteria when you modify the detection.
- If you did not create the search manually, add the field as an aggregate function with an alias. Use the values function to return all possible values of a given field, or the latest function to return the most recent value for the field.
- Extract fields.
- If the detection includes statistical transformations, extract the fields when you perform the statistical transformation.
- If the detection does not include statistical transformations, add
| fields + newfieldname
to the end of the SPL, wherenewfieldname
is the name of the new field you want to see in the additional details.
- Verify changes to detection on the Search page before saving them.
Add the field to the list of additional fields
Follow these steps to add the field to the list of additional fields:
- In Splunk Enterprise Security, select Configure.
- Select Findings and investigations.
- Select Field values for findings.
- Select Add field to add the new field to the Additional Fields section of the finding details.
- In the Edit event attribute dialog, enter a Field to match the field that you want to appear in the finding details.
- Enter a Label to use as the display name of the field in the finding details.
- Select Save.
SPL search to verify the additional fields
Use the following search to get a list of all of the active Additional fields.
| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review
| fields event_attributes
| eval d=split(event_attributes, "},")
| rex field=d max_match=0 "field\"\s*:\s*\"(?<field>[^\"]+)"
| rex field=d max_match=0 "label\"\s*:\s*\"(?<label>[^\"]+)"
| eval mv=mvzip(field,label)
| fields mv
| mvexpand mv
| eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1)
| table field, label
A truncated example response follows.
field | label |
---|---|
action | Action |
app | Application |
bytes_in | Bytes In |
bytes_out | Bytes Out |
category | Category |
change_type | Change Type |
channel | Channel |
command | Command |
cpu_load_percent | CPU Load (%) |
creator | Creator |
creator_realname | Creator Realname |
cve | CVE |
decoration | Decoration |
desc | Description |
dest | Destination |
dest_threatlist_category | Destination Threat List Category |
dest_threatlist_description | Destination Threat List Description |
dest_threatlist_name | Destination Threat List Name |
dest_bunit | Destination Business Unit |
dest_category | Destination Category |
Find findings based on calculated eval fields
You can find findings using the Search bar of the Mission Control page by filtering on specific fields such as src
and dest
that exist in the finding. However, you might not find findings by filtering on search time calculated eval fields such as event_hash
or event_id
.
This is because the Search bar on the Mission Control page supports search for freeform keyword or text, which might not apply to all the information on the Mission Control page. Search time calculated eval fields are not directly searchable.
As a workaround, you can retrieve the findings using the search bar by filtering based on fully qualified SPL syntax.
For example, if you want to search findings with entities that contain foobarbaz
, you can use entity="foobarbaz"
or entity="foobarbaz*"
See also
For more information on fields in findings, see the product documentation:
Configure findings manually to track specific fields in Splunk Enterprise Security
Create suppression rules for findings in Splunk Enterprise Security | Configure the status of findings and investigations in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!