https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-notable-events-in-Splunk-Cloud-or-is-it/m-p/654930#M2453 <P>Is it possible to create notable events in Splunk Cloud or is it only native to Enterprise Security?&nbsp; The detection rule below is creating actions=risk, notable and assigning some parameters in the notable event. Is it possible to implement this rule as it is with actions notable events in Splunk Cloud or is it only possible in Enterprise Security? I know the alert can be created in Splunk Cloud with its alerting feature, but I am wondering if we need to modify the actions part of the detection rule if notable events do not exist in Splunk Cloud. Thank you.<BR /><BR /></P> <DIV class=""><SPAN class="">[</SPAN>Possible Remote Administration Tools Detected <SPAN class="">(</SPAN>via office365)<SPAN class="">]</SPAN></DIV> <DIV class="">alert.severity = 3</DIV> <DIV class=""><SPAN class="">description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.</SPAN></DIV> <DIV class="">cron_schedule = <SPAN class="">0 </SPAN>* * * *</DIV> <DIV class="">disabled = 1</DIV> <DIV class="">is_scheduled = 1</DIV> <DIV class="">is_visible = 1</DIV> <DIV class="">dispatch.earliest_time = -60m@m</DIV> <DIV class="">dispatch.latest_time = now<BR /><SPAN>search = index=* </SPAN><SPAN class="">((</SPAN><SPAN>Operation="FileUploaded" OR Operation="FileAccessed" OR Operation="FileDownloaded")</SPAN><BR /> <DIV class="">alert.suppress = 0</DIV> <DIV class="">alert.track = 1</DIV> <DIV class="">actions = risk,notable</DIV> <DIV class="">action.risk = 1</DIV> <DIV class="">action.risk.param._risk_object_type = user</DIV> <DIV class="">action.risk.param._risk_score = 75</DIV> <DIV class="">action.correlationsearch = 0</DIV> <DIV class="">action.correlationsearch.enabled = 1</DIV> <DIV class="">action.notable.param.rule_title = Possible Remote Administration Tools Detected <SPAN class="">(</SPAN>via office365)</DIV> <DIV class=""><SPAN class="">action.notable.param.rule_description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.&nbsp;</SPAN></DIV> <DIV class="">action.correlationsearch.label = Possible Remote Administration Tools Detected <SPAN class="">(</SPAN>via office365)</DIV> <DIV class=""><SPAN class="">action.correlationsearch.annotations = {"mitre_attack"</SPAN><SPAN class="">:</SPAN> <SPAN class="">[</SPAN><SPAN class="">"T1204"</SPAN><SPAN class="">]}</SPAN></DIV> </DIV> Mon, 21 Aug 2023 19:42:51 GMT mike4860 2023-08-21T19:42:51Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-notable-events-in-Splunk-Cloud-or-is-it/m-p/654930#M2453 <P>Is it possible to create notable events in Splunk Cloud or is it only native to Enterprise Security?&nbsp; The detection rule below is creating actions=risk, notable and assigning some parameters in the notable event. Is it possible to implement this rule as it is with actions notable events in Splunk Cloud or is it only possible in Enterprise Security? I know the alert can be created in Splunk Cloud with its alerting feature, but I am wondering if we need to modify the actions part of the detection rule if notable events do not exist in Splunk Cloud. Thank you.<BR /><BR /></P> <DIV class=""><SPAN class="">[</SPAN>Possible Remote Administration Tools Detected <SPAN class="">(</SPAN>via office365)<SPAN class="">]</SPAN></DIV> <DIV class="">alert.severity = 3</DIV> <DIV class=""><SPAN class="">description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.</SPAN></DIV> <DIV class="">cron_schedule = <SPAN class="">0 </SPAN>* * * *</DIV> <DIV class="">disabled = 1</DIV> <DIV class="">is_scheduled = 1</DIV> <DIV class="">is_visible = 1</DIV> <DIV class="">dispatch.earliest_time = -60m@m</DIV> <DIV class="">dispatch.latest_time = now<BR /><SPAN>search = index=* </SPAN><SPAN class="">((</SPAN><SPAN>Operation="FileUploaded" OR Operation="FileAccessed" OR Operation="FileDownloaded")</SPAN><BR /> <DIV class="">alert.suppress = 0</DIV> <DIV class="">alert.track = 1</DIV> <DIV class="">actions = risk,notable</DIV> <DIV class="">action.risk = 1</DIV> <DIV class="">action.risk.param._risk_object_type = user</DIV> <DIV class="">action.risk.param._risk_score = 75</DIV> <DIV class="">action.correlationsearch = 0</DIV> <DIV class="">action.correlationsearch.enabled = 1</DIV> <DIV class="">action.notable.param.rule_title = Possible Remote Administration Tools Detected <SPAN class="">(</SPAN>via office365)</DIV> <DIV class=""><SPAN class="">action.notable.param.rule_description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.&nbsp;</SPAN></DIV> <DIV class="">action.correlationsearch.label = Possible Remote Administration Tools Detected <SPAN class="">(</SPAN>via office365)</DIV> <DIV class=""><SPAN class="">action.correlationsearch.annotations = {"mitre_attack"</SPAN><SPAN class="">:</SPAN> <SPAN class="">[</SPAN><SPAN class="">"T1204"</SPAN><SPAN class="">]}</SPAN></DIV> </DIV> Mon, 21 Aug 2023 19:42:51 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-notable-events-in-Splunk-Cloud-or-is-it/m-p/654930#M2453 mike4860 2023-08-21T19:42:51Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-notable-events-in-Splunk-Cloud-or-is-it/m-p/654931#M2454 <P>Notable Events and Correlation Searches are Splunk Enterprise Security (ES) features.&nbsp; While you can create an index called "notable" in Splunk Cloud (or Splunk Enterprise), you can't get the full Notables experience without ES.</P> Fri, 18 Aug 2023 19:47:05 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Is-it-possible-to-create-notable-events-in-Splunk-Cloud-or-is-it/m-p/654931#M2454 richgalloway 2023-08-18T19:47:05Z