topic Re: How to get details of Notable event in Splunk Search

How to get details of Notable event

badadata1 — Mon, 28 Sep 2020 19:09:44 GMT

How to get details of a Notable event using API - event_id hash, rule_id, severity, urgency etc

How to get a Notable event from a sid and how does a Notable event relate to an Incident

Is there a way to get the related events, independent log lines that triggered the Notable event (not the summary)

Re: How to get details of Notable event

satishsdange — Mon, 28 Sep 2020 19:09:56 GMT

I presume, you are referring to Enterprise Security App.

You may click notable event, then click arrow on far left. You will get below details including event_id, event_hash, domain, urgency etc.

Description:

The system 10.11.36.20 has failed sshd authentication 44 times using 38 username(s) against 1 target(s) in the last hour
Additional Fields Value Action

Application sshd

Source 10.11.36.20

Source Business Unit americas

Source Category pci

splunk

Source City Pleasanton

Source Country USA

Source IP Address 10.11.36.20

Source Expected true

Source Latitude 37.694452

Source Longitude -121.894461

Source Owner Bill_williams

Source PCI Domain trust

Source Requires Antivirus false

Source Should Time Synchronize true

Source Should Update true

Correlation Search:
Access - Excessive Failed Logins - Rule
History:
View all review activity for this Notable Event
Contributing Events:

View all login failures by system 10.11.36.20 for the application sshd

Event Details:
event_id es1-ap.demo.splunk.com@@notable@@d3a7697a3a20234151c5ab8669716857

event_hash d3a7697a3a20234151c5ab8669716857

eventtype nix-all-logs

suppress_src

notable

A notable event is a Splunk term. Whenever underlying correlation search comes positive, it will generate a notable event.
You can see correlation search that triggered notable event.

Re: How to get details of Notable event

badadata1 — Mon, 28 Sep 2020 19:09:59 GMT

Thanks Satish, I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls.

Currently I am using a Scripted alert when a Notable is generated. This triggers a script and in the script I have the search ID and using the 8 Splunk provided ENV variables some more details on the events which caused the Notable event.

But so far I have not seen an easy way to retrieve the Notable event details (event_id, rule_id, hash, urgency, severity etc) along with the incidents to an external ticketing system. Ideal way would be I have the sid using the Alerts in the scripts. Using that I call an API to get details on Notable events and related events and pass that info to an external system.

and Is there a way to get the independent log line that triggered the Notable event (not the summary)

Today I use this to get details of the search using sid

https://splunk:8089/services/search/jobs/rt_scheduler__admin_REEtRVNTLUFjY2Vzc1Byb3RlY3Rpb24__RMD5b909c1462f27f19b_at_1425994278_5795/results

So similar to this if I can call an API to get Notable event or Incident details along with related events using the sid ?

Re: How to get details of Notable event

badadata1 — Mon, 16 Mar 2015 04:26:00 GMT

I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls. ie Notable events details and related events using an API with sid as the input parameter

Re: How to get details of Notable event

harshanagaraj — Mon, 06 Apr 2015 19:59:15 GMT

Did you ever find out an answer for this question? Thanks,
Harsha.

Re: How to get details of Notable event

harshanagaraj — Mon, 28 Sep 2020 19:31:31 GMT

curl -k -u username:password https://splunkserver:8089/servicesNS/admin/search/search/jobs/export -d search="search %60notable%60 | search event_hash=yourevent_hash | fields rule_id, event_hash, event_id, urgency, severity" -d "output_mode=json"

Re: How to get details of Notable event

ziax — Fri, 05 Feb 2016 04:59:21 GMT

Hey,
Got any method to get this notable event_id?, I am also struggling to get this value.

Thanks,