Security

Enterprise Security -> Customizing Incident Review -> Adding Short ID

cbschreiber
Explorer

I'm wanting to add the short ID that one can generate for a notable in IR. 

cbschreiber_1-1618258938697.png

cbschreiber_0-1618258902334.png

To the columns in Incident Review for our SOC to use. 

cbschreiber_2-1618258995741.png

However, I can't find the proper attribute name for this and it's not in the notable index, or in notable_xref_lookup or es_notable_events lookup. 

Hoping someone can tell me what the correct "Short ID" attribute name is.

Also hoping someone can tell me how to force ES to create a Short ID for EVERY notable. 

Thanks in Advance!

 

Labels (2)

daventura
Loves-to-Learn Lots

under incident review settings table attributes enter

 

notable_xref  as the field and Short ID as the title

 

Also you should schedule a search to run every  5 minutes  */5 * * * *

to automatically create the short id's, this is most helpful 

`notable`
| where isnull(notable_xref)
| eval notable_time=_time, xref_label="Short ID", xref_name="short_id", xref_id="V".substr(upper(md5(event_id)), 0, 5)
| table event_id, notable_time, xref_id, xref_label, xref_name
| outputlookup append=t notable_xref_lookup

Tags (3)
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...