topic Re: Configuring Notable event in Splunk Enterprise Security

Configuring Notable event

ajayrejin — Mon, 21 Jan 2019 10:56:44 GMT

I am trying to create a notable event I am writing a query (index=****** EventCode=4771) in search App and then clicking on SaveAs and then click on Alert. Then a popup opens for alert configuration. In that i have trigger Actions where there is option of Notable( Creates notable events). This creates a notable event . Is this the correct way of creating?

I see notables events created in Enterprise Security, however there is lot of events triggered (close to 1000 events) Each single events are generated, but not the aggregated one. Is there a way i can aggregate that in ES? .

Re: Configuring Notable event

alemarzu — Mon, 21 Jan 2019 14:42:30 GMT

Hello there @ajayrejin

Have you read this? https://docs.splunk.com/Documentation/ES/5.2.1/Admin/Createnotablesmanually

Kind regards.

Re: Configuring Notable event

lakshman239 — Tue, 29 Sep 2020 22:51:21 GMT

Pls go through this and create correlation searches and add throttling to limit the number of alerts you see. Also, a good practice would be to use index= your_specific_index addition to your search above

https://docs.splunk.com/Documentation/ES/5.2.2/Tutorials/CorrelationSearch

Re: Configuring Notable event

ajayrejin — Thu, 24 Jan 2019 13:01:33 GMT

I dont see that option of create correlation search under the configure->Content_>Content Mangagmeent->Create New content. I dont have admin access, its power user.

Let me tell how i created a notable event first. From the Search&Reporting app, wrote a query , then clicked on save as->Alert->filled in all the conditions->under trigger actions selected notable(creates notable events)

What is happening now is that configured alert is firing individual notable events and not aggregated one(like 10 failed logins in 1 min, then fire 1 notable event, that is not the case, all the 10 failed events are firing).
I had already given aggregation when i created that alert. Is there any way i can put an aggregation on notable event itself.

Re: Configuring Notable event

lakshman239 — Thu, 24 Jan 2019 14:18:13 GMT

I assume you are using Splunk Enterprise Security (premium product). If so, you would need to navigate to 'Enterprise Security' App and then you can navigate to Configure->Content Mgmt etc...

When working in Splunk ES, normally, we don't use 'Search and reporting' app, as the context is different.

If you are not having Splunk ES, what you are trying to do is the normal alert. Pls check again and share the splunk version and Splunk ES version. Also, go through above link.

Re: Configuring Notable event

ajayrejin — Fri, 25 Jan 2019 06:50:07 GMT

We are using Splunk Enterprise security, Splunk version is 7.1.3 and ES version is 5.2.2.

Re: Configuring Notable event

lakshman239 — Fri, 25 Jan 2019 09:21:21 GMT

ok, good. Did you follow the link https://docs.splunk.com/Documentation/ES/5.2.2/Tutorials/CorrelationSearch to create and test your search? If the issue resolved now?

Re: Configuring Notable event

ajayrejin — Fri, 25 Jan 2019 11:57:42 GMT

I did go through the document, but i dont see a option of creating a correlation search as mentioned in the document.

Re: Configuring Notable event

lakshman239 — Fri, 25 Jan 2019 13:21:31 GMT

Are you logging in as 'admin' or any other user? if its not admin, you need to make sure your role/user has required capabilities.