Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Enterprise Security -> Customizing Incident Review -> Adding Short ID

cbschreiber
Explorer
‎04-12-2021 01:32 PM

I'm wanting to add the short ID that one can generate for a notable in IR. 

cbschreiber_1-1618258938697.png

cbschreiber_0-1618258902334.png

To the columns in Incident Review for our SOC to use. 

cbschreiber_2-1618258995741.png

However, I can't find the proper attribute name for this and it's not in the notable index, or in notable_xref_lookup or es_notable_events lookup. 

Hoping someone can tell me what the correct "Short ID" attribute name is.

Also hoping someone can tell me how to force ES to create a Short ID for EVERY notable. 

Thanks in Advance!

 

Labels (2)
Labels
Reply

daventura
Loves-to-Learn Lots
‎01-10-2023 03:52 AM

under incident review settings table attributes enter

 

notable_xref  as the field and Short ID as the title

 

Also you should schedule a search to run every  5 minutes  */5 * * * *

to automatically create the short id's, this is most helpful 

`notable`
| where isnull(notable_xref)
| eval notable_time=_time, xref_label="Short ID", xref_name="short_id", xref_id="V".substr(upper(md5(event_id)), 0, 5)
| table event_id, notable_time, xref_id, xref_label, xref_name
| outputlookup append=t notable_xref_lookup

Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...