topic Re: How to automatically assign a recent random notable to a specific user in Splunk Enterprise Security

How to automatically assign a recent random notable to a specific user

NightShark — Tue, 25 Jan 2022 14:38:48 GMT

Hello,

I would like to assign random new "unassigned" notables to a specific user.

I wanted to accomplish this via a saved search but unfortunately it did not work, and the userI am trying to assign to does actually exist in the enviroment when looking up the es_notable_events lookup which also has previous actions made on notables.

Is there another way to do this? What am I doing wrong?

Thanks,
Regards,

Re: How to automatically assign a recent random notable to a specific user

richgalloway — Tue, 25 Jan 2022 15:46:23 GMT

The key_field value should be be _key rather than owner. As it stands now, the query is attempting to change the lookup row with key "usertoassign", which doesn't exist and so the changes aren't made.

Re: How to automatically assign a recent random notable to a specific user

NightShark — Tue, 25 Jan 2022 15:57:21 GMT

Thank you for the response,

However I do not quite understand how to rewrite my query based on your feedback.

I have used the following resource from the Splunk docs to accomplish what I am trying to do:

https://docs.splunk.com/Documentation/ES/7.0.0/Admin/Createnotablesmanually

Regards,

Re: How to automatically assign a recent random notable to a specific user

richgalloway — Thu, 27 Jan 2022 19:10:30 GMT

I had doubts about that part of the document so I submitted feedback on it. The Docs team have since updated that SPL.

Re: How to automatically assign a recent random notable to a specific user

NightShark — Tue, 01 Feb 2022 06:01:58 GMT

I haven't really seen any update or any change on the specific SPL we were mentioning earlier, or am I looking at the wrong query?

SPL from doc as of 01.02.22:

| inputlookup es_notable_events | search owner=gleb | eval owner="george"| outputlookup es_notable_events append=true key_field=owner

Thanks,

Re: How to automatically assign a recent random notable to a specific user

richgalloway — Tue, 01 Feb 2022 12:56:38 GMT

It is updated in this version of the docs. I don't know why other versions are not updated.

https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Createnotablesmanually#Use_the_owner_field_in_a_Splunk_event_to_create_a_notable_event_with_said_owner

Re: How to automatically assign a recent random notable to a specific user

NightShark — Tue, 01 Feb 2022 13:06:47 GMT

Well that is weird, Okay I got it. Thank you very much!

Re: How to automatically assign a recent random notable to a specific user

NightShark — Tue, 01 Feb 2022 13:25:08 GMT

Even though the referenced material is correct and works as intended by updating the csv for the specific line, however when loading incident review the notable events are still not mapped to a certain user unfortunately 😕 I assume they are overwritten by other rules or searches. Thank you either way.