topic Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"? in Splunk Enterprise Security

Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

MHibbin — Wed, 19 Aug 2015 15:47:47 GMT

Hi,

We have a requirement to add some additional fields to events under "Incident Review" for IOCs (I have looked at some of the mappings in notables2.html), however, they don't give us quite enough flexibility.

How do I add these additional fields under the heading "Additional Fields" (e.g. dest displays as "Destination")?

I have had a look at the following however changing the HTML or log_review.conf did not appear to make any difference:

http://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

Thanks,

MHibbin

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

esix_splunk — Wed, 19 Aug 2015 15:58:59 GMT

Have you seen this portion of the documentation : http://docs.splunk.com/Documentation/ES/3.3.1/User/IncidentReviewdashboard#Modify_the_Incident_Review_dashboard ?

It describes removing fields, but it should hold the same to adding fields, but I havent tried this yet. If you try, do let us know the results.

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

MHibbin — Wed, 19 Aug 2015 16:08:52 GMT

Thanks @esix,

My log_review.conf file only has the following:

[notable_editing]
allow_urgency_override=true

[comment]
minimum_length=20
is_required=false

I also used btool to identify any other instances, however, that was the only one.

So don't really have much to go on.

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

ekost — Thu, 20 Aug 2015 15:26:51 GMT

Can you verify what you're trying to accomplish? My interpretation is, you would like the correlation search to grab additional fields and provide/display them in a notable event. But your description could also be interpreted as adding a new event action from an existing field in a notable event. And @esix is offering another perspective.

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

MHibbin — Thu, 20 Aug 2015 15:47:11 GMT

@ekost,

My correlation search is generating all the fields required (i.e. I could add them to the title/description as variables), however I would like them to appear under "Additional Fields", where there is currently items such as:

Destination
Destination Expected
Destination Requires AntiVirus
Process
User

Obviously these are fields that are referenced in the CIM; I would like to add ones, e.g:

IOC Source
IOC Description
IOC Classification
IOC Date
Etc,

The intention is that I we can add these fields to the notables/events in Incident Review, so that the review is more streamlined and also so that we can create workflow actions on the IOC themselves (e.g. Open Source checks, checks on other systems internally, etc.) for each instance.

We do have other use cases, not just IOC information.

Hope this is a bit clearer.

Thanks,

Matt

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

ekost — Tue, 29 Sep 2020 07:03:43 GMT

I've verified that the advice of @jbrodsky is correct. The log_review.conf controls the fields displayed in Incident Review. If you wish to add fields, copy the entire $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf to SA-ThreatIntelligence/local and add the new fields under the stanza:

[incident_review]
event_attributes =

An example is available in: SA-ThreatIntelligence/README/log_review.conf.example. You can verify the changes with: splunk cmd btool log_review list —debug. Note: if you tack the new fields on to the bottom of the file, beware of leaving a trailing comma on the bottom/last field definition. That bit me while testing the changes.

The default behavior is that the field name will not appear in the NE if the search results do not contain data for that field. If you don't see your new fields, test the output again with a field that appears in all results, such as index. Refresh the Incident Review dashboard after changing log_review.conf for the changes to take effect.

I hope that helps!

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

jbrodsky_splunk — Fri, 21 Aug 2015 19:38:16 GMT

So Matt, I'm late to the game, but you mention that changes to log_review.conf are not making any difference. Can you go through the more detailed example given by @ekost and let us know what the results are? I'm curious as to the output of btool...

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

LukeMurphey — Fri, 21 Aug 2015 20:14:58 GMT

BTW: you can use an online JSON parser to verify that the fields are valid JSON. I generally use this one: http://json.parser.online.fr/

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

MHibbin — Sat, 22 Aug 2015 14:24:07 GMT

Thanks @ekost & @jbrodsky, I have just configured a test instance with version 3.3.1 and this solution appears to be working correctly.

In our current version the log_review.conffile does not have the same contents (namely missing table_attributes and event_attributes)

Looks like I will have to schedule in some upgrade work!

Thanks for your help.

Best,

Matt

Re: Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

jrivas_splunk — Mon, 30 Apr 2018 20:06:00 GMT

That comma is very important . I encountered an issue where the commas were missing after "User Email"} :
{"field": "user_email", "label": "User Email"}\

this caused the Incident Review - Event Attributes to be hidden and the add new entry button to disappear as well. It was not until those changes were made that it all worked out.

{"field": "user_email", "label": "User Email"},\