Notable events
When a correlation search included in the Splunk App for PCI Compliance (or added by a user) identifies an event or pattern of events, it creates a notable event. Correlation searches filter the IT security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events. The app includes pre-configured correlation searches to create notable events, and lets you add your own.
The notable events are disabled by default in correlation searches. To create a notable event, see Create a notable event in the Splunk App for PCI Compliance ''User Manual''.
Correlation searches run at regular intervals (for example, every hour) or continuously in real-time and search events for a particular pattern or type of activity. The notable event is stored in a dedicated notable index, which is implemented as a summary index in Splunk Enterprise. The Incident Review dashboard is used to view and act on notable events. A notable event might be a single event of high importance, such as any activity from a known web attacker, or an aggregate of multiple events that together warrant review, such as a high number of authentication failures on a single host followed by a successful authentication.
When notable events are created, relevant information from the asset list is combined with the event information. To help to further identify important patterns, correlation searches are each assigned a "severity" of informational, low, medium, high, or critical. Notable events are assigned an "urgency", based on the severity of the event and the priority of the asset corresponding to the event.
- If event severity is informational, the event urgency is informational, regardless of asset priority.
- If asset priority is unknown or low and event severity is unknown, low, or medium, the event urgency is low.
- If asset priority is unknown or low and event severity is high, the event urgency is medium.
- If asset priority is unknown or low and event severity is critical, the event urgency is high.
- If asset priority is unknown or low and event severity is critical, the event urgency is high.
- If asset priority is medium and event severity is unknown or low, the event urgency is low.
- If asset priority is medium and event severity is medium, the event urgency is medium.
- If asset priority is medium and event severity is high, the event urgency is high.
- If asset priority is medium and event severity is critical, the event urgency is critical.
- If asset priority is high and event severity is unknown, low, or medium, the event urgency is medium.
- If asset priority is medium and event severity is high, the event urgency is high.
- If asset priority is medium and event severity is critical, the event urgency is critical.
- If asset priority is critical and event severity is unknown or low, the event urgency is medium.
- If asset priority is critical and event severity is medium, the event urgency is high.
- If asset priority is critical and event severity is high or critical, the event urgency is critical.
Correlation searches do not use the calculated severity described if the events being searched contain a severity field.
How to suppress notable events
In some cases, you might want to prevent certain types of notable events from appearing on the Incident Review dashboard or contributing to alert thresholds. To do this, you need to create a notable event suppression. See Suppressing notable events in this manual.
Manually create a notable event
You can manually create a notable event from an indexed event, or create one from scratch.
Note: By default, only administrators can manually create notable events. To grant other users this capability, see Configure user and roles in the Installation and Upgrade Manual.
Create a notable event from an existing event
You can create a notable event from any indexed event using the Event Actions menu. Do not create a notable event from notable events on the Incident Review dashboard.
- From an event, view the event details and click Event Actions.
- Select Create notable event.
- Enter a Title for the event.
- (Optional) Select a security Domain.
- (Optional) Select an Urgency level.
- (Optional) Select an Owner.
- (Optional) Select a Status.
- Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
- Save the new notable event. The Incident Review dashboard displays with your new notable event.
Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.
Create a notable event from scratch
Create a notable event based on observations, a finding from a security system outside Splunk software, or something else.
- Select Configure > Incident Management > New Notable Event.
- Enter a Title for the event.
- (Optional) Select a security Domain.
- (Optional) Select an Urgency level.
- (Optional) Select an Owner.
- (Optional) Select a Status.
- Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
- Save the new notable event. The Incident Review dashboard displays with your new notable event.
Create new correlation searches | Configure Incident Workflow |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2
Feedback submitted, thanks!