Notable Event API reference
Access the Notable Event framework in Splunk Enterprise Security.
The Notable Event framework provides a way to identify noteworthy incidents from events and then manage the ownership, triage process, and state of those incidents. For more information about working with the framework, see Notable Event framework in Splunk ES on the Splunk developer portal.
There is no GET method for notable events, known as findings in version 8.0.0, in Splunk Enterprise Security. Instead, you can use Splunk search and macros to access the findings programmatically. See Using notable events in search on the Splunk developer portal.
Usage details
Authentication and Authorization
Username and password authentication is required for access to endpoints and REST operations. You must have the edit_notable_events
capability along with the ess_analyst
role to use the notable event endpoint. For more information on configuring user roles and capabilities for Splunk Enterprise Security, see Configure users and roles.
Alternatively, you can use token authentication. See Set up authentication with tokens in the Splunk Enterprise Securing the Splunk Platform manual.
Username and password authentication is used in the examples that follow.
Splunk Cloud Platform URL for REST API access
Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.
Splunk Cloud Platform deployments
Use the following URL for single-instance deployments.
https://<deployment-name>.splunkcloud.com:8089
Use the following URL for clustered deployments. If necessary, submit a support case to open port 8089 on your deployment.
https://<deployment-name>.splunkcloud.com:8089
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.
https://input-<deployment-name>.splunkcloud.com:8089
See Using the REST API in Splunk Cloud Platform in the the Splunk REST API Tutorials for more information.
/services/notable_update
Edit all findings that match one or more ruleUIDs, or edit all findings that match a search.
Syntax
https://<host>:<mPort>/services/notable_update
POST
Update the status, urgency, owner, or comment of one or more findings.
Request parameters
An argument string must include at least one of the following arguments: comment, status, urgency, newOwner. It also must include either a searchID or one or more ruleUIDs.
Field | Description |
---|---|
comment | A description of the change or some information about the findings. |
status | A status ID matching a status in reviewstatuses.conf . Only required if you are changing the status of the event.
|
urgency | An urgency. Only required if you are changing the urgency of the event. |
newOwner | An owner. Only required if reassigning the event. |
ruleUIDs | A list of finding IDs. Must be provided if a searchID is not provided. Include multiples of this attribute to edit multiple events. For example, ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&ruleUIDs .
|
searchID | An ID of a search. All of the events associated with this search will be modified unless a list of ruleUIDs are provided that limit the scope to a subset of the results. |
disposition | An ID for a disposition that matches a disposition in the reviewstatuses.conf configuration file. Required only if you are changing the disposition of the event.
|
Response
A success or failure message.
Example request
curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"
import splunk.rest as rest import splunk.auth as auth session_key = auth.getSessionKey('admin', 'changeme') uri = '/services/notable_update' rule_id = '0F70A754-5482-42A5-A22A-A615D7A155FF@@notable@@81efe8f52d16a337520045e4e5a87308' owner = 'admin' status = 2 comment = 'this is a test comment' disposition = 'disposition:2' postargs = {'ruleUIDs': rule_id, 'newOwner': owner, 'comment': comment, 'status': status, 'disposition': disposition} r, c = rest.simpleRequest(uri, sessionKey=session_key, postargs=postargs)
Example response
{"message":"1 event updated successfully","failure_count":0,"success":true,"details":{},"success_count":1}
Threat Intelligence API reference | Analytic Story API reference |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!