Dashboards & Visualizations

Clicking on a custom rule's name in ES Top Notable Events doesn't filter in the Incident review

ravida
Explorer

Hi folks,

 

This has been bugging me for a while. When I click on a custom-made correlation search in the Security Posture's Top Notable Events dashboard pane, it doesn't filter for that rule name in the incident review, it just shows all of them. Where do I configure it to drill down properly?

 

Thanks!

 

Labels (2)
Tags (2)
0 Karma

ravida
Explorer

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravida,

I never experienced this behavior and I'm using many custom Correlation Searches,

Is this issue present for all the CS or only for that?

Ciao.

Giuseppe

 

0 Karma

ravida
Explorer

It happens for all of them.

 

The strange part is, when i first click, you can see the notable name in the URL after "/incident_review?form.rule_name=(rule name)" followed by earliest/latest timestamos

but after a moment it disappears and is replaced with a new URL which only has the earliest/latest values 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravida ,

as I said, I never experienced this behavior and I'm using many custom Correlation Searches,

Open a case to Splunk Support.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ravida ,

when you created the Correlation Search, did you associate the "Add Notable" Adaptive Response Action?

Then, when you configure the Add Notable Adaptive Response Action, did you created the Drilldown Search?

Ciao.

Giuseppe

0 Karma

ravida
Explorer

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...