topic Re: ES : Time range picker not working for incident_review macro in Splunk Enterprise Security

ES : Why is time range picker not working for incident_review macro?

neerajs_81 — Thu, 28 Jul 2022 15:17:53 GMT

Hello, In ES when we run the following macro for Last 30 mins or Last 24 H time range, splunk ends up displaying results from all the way back in time as in last 6 months data as well. Why is that so ? Its as if its completely ignores the date/time range whatever we specify. BTW, This is Out of the box macro.

|`incident_review` | table _time owner rule_id rule_name status_label

My requirement is to show the Notables triggered based on the date range we select.
Secondly, does anyone know how to show Number of Incidents (Notable alerts) worked on by each SOC analyst ? Basically i m trying to generate performance metrics of each analyst, how many alerts they worked on, time to close each alert etc, details of each status change etc. The default provided SOC operations dashboard sucks.

Re: ES : Time range picker not working for incident_review macro

chaker — Thu, 28 Jul 2022 11:58:09 GMT

If you press CTRL SHIFT E on that search you will see the macro fully expanded.

It's just a bunch of lookups, and the timerange picker only works on _time.

Notice at the end of the search there is an eval for time?

| eval _time=time

You can use that with some tokens on a dashboard or manually add filters to the search for _time.

Does that help?

Re: ES : Time range picker not working for incident_review macro

chaker — Thu, 28 Jul 2022 12:15:34 GMT

I added some fields at the end of the table to show the day, hour and year. You can make more using the time variables here:
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Commontimeformatvariables

| inputlookup append=T incident_review_lookup | rename user as reviewer | lookup update=true user_realnames_lookup user as "owner" OUTPUTNEW realname as "owner_realname" | eval "owner_realname"=if(isnull('owner_realname'),'owner','owner_realname') | lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname" | eval "reviewer_realname"=if(isnull('reviewer_realname'),'reviewer','reviewer_realname') | eval nullstatus=if(isnull(status),"true","false") | eval temp_status=if(isnull(status),-1,status) | lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end | eval status=if(isnull(status_label),0,status),status_label=if(isnull(status_label),"Unassigned",status_label),status_description=if(isnull(status_description),"unknown",status_description),"status_default"=case(match('status_default', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_default', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_default'),"status_end"=case(match('status_end', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_end', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_end'),status_group=case(status_default=="true","New",status_end=="true","Closed",status=0,"New",1=1,"Open") | fields - temp_status | eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status) | eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label) | eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description) | eval _time=time | fields - nullstatus | eval eventHour=strftime(_time,"%H") | eval eventMin=strftime(_time,"%M") | eval eventDay=strftime(_time,"%A") | eval eventYear=strftime(_time,"%Y") | table _time owner rule_id rule_name status_label eventHour eventDay eventMin eventYear

Re: ES : Time range picker not working for incident_review macro

chaker — Thu, 28 Jul 2022 12:19:19 GMT

To your second question, have you tried the Incident Review Audit report on the Audit menu?

en-US/app/SplunkEnterpriseSecuritySuite/incident_review_audit

Re: ES : Why is time range picker not working for incident_review macro?

neerajs_81 — Thu, 28 Jul 2022 17:35:31 GMT

Thanks a lot. Appreciate it

Re: ES : Time range picker not working for incident_review macro

neerajs_81 — Fri, 29 Jul 2022 05:03:24 GMT

Hi, i have marked your search as Solution but i am noticing that even if i run it with a Time range of last 24h, it still ends up dumping out everything. It does not show me the data specific to whatever date filter i have selected. I misunderstood then. How am i supposed to pass on the time filter to this macro if there is |eval _time=time at the bottom ?

Re: ES : Time range picker not working for incident_review macro

chaker — Fri, 29 Jul 2022 07:39:43 GMT

What are you trying to do with this macro?

The Incident Review dashboard in ES will let you use the time range picker to filter notable events. Plus you could setup a time range and other conditoin like status=resolved and save it as a filter.

/en-US/app/SplunkEnterpriseSecuritySuite/incident_review