Archive

How to get details of Notable event

Explorer

How to get details of a Notable event using API - eventid hash, ruleid, severity, urgency etc

How to get a Notable event from a sid and how does a Notable event relate to an Incident

Is there a way to get the related events, independent log lines that triggered the Notable event (not the summary)

Tags (1)

Explorer

curl -k -u username:password https://splunkserver:8089/servicesNS/admin/search/search/jobs/export -d search="search %60notable%60 | search eventhash=youreventhash | fields ruleid, eventhash, eventid, urgency, severity" -d "outputmode=json"

0 Karma

Explorer

Did you ever find out an answer for this question? Thanks,
Harsha.

0 Karma

Explorer

I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls. ie Notable events details and related events using an API with sid as the input parameter

0 Karma

New Member

Hey,
Got any method to get this notable event_id?, I am also struggling to get this value.

Thanks,

0 Karma

Builder

I presume, you are referring to Enterprise Security App.

You may click notable event, then click arrow on far left. You will get below details including eventid, eventhash, domain, urgency etc.

Description:

The system 10.11.36.20 has failed sshd authentication 44 times using 38 username(s) against 1 target(s) in the last hour
Additional Fields Value Action

Application sshd

Source 10.11.36.20

Source Business Unit americas

Source Category pci

splunk

Source City Pleasanton

Source Country USA

Source IP Address 10.11.36.20

Source Expected true

Source Latitude 37.694452

Source Longitude -121.894461

Source Owner Bill_williams

Source PCI Domain trust

Source Requires Antivirus false

Source Should Time Synchronize true

Source Should Update true

Correlation Search:
Access - Excessive Failed Logins - Rule
History:
View all review activity for this Notable Event
Contributing Events:

View all login failures by system 10.11.36.20 for the application sshd

Event Details:
eventid es1-ap.demo.splunk.com@@notable@@d3a7697a3a20234151c5ab8669716857

event
hash d3a7697a3a20234151c5ab8669716857

eventtype nix-all-logs

suppress_src

notable

A notable event is a Splunk term. Whenever underlying correlation search comes positive, it will generate a notable event.
You can see correlation search that triggered notable event.

0 Karma

Explorer

Thanks Satish, I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls.

Currently I am using a Scripted alert when a Notable is generated. This triggers a script and in the script I have the search ID and using the 8 Splunk provided ENV variables some more details on the events which caused the Notable event.

But so far I have not seen an easy way to retrieve the Notable event details (eventid, ruleid, hash, urgency, severity etc) along with the incidents to an external ticketing system. Ideal way would be I have the sid using the Alerts in the scripts. Using that I call an API to get details on Notable events and related events and pass that info to an external system.

and Is there a way to get the independent log line that triggered the Notable event (not the summary)

Today I use this to get details of the search using sid

https://splunk:8089/services/search/jobs/rt_scheduler__admin_REEtRVNTLUFjY2Vzc1Byb3RlY3Rpb24__RMD5b9...

So similar to this if I can call an API to get Notable event or Incident details along with related events using the sid ?

0 Karma