Enterprise Security -> Customizing Incident Review...

cbschreiber · ‎04-12-2021

I'm wanting to add the short ID that one can generate for a notable in IR.

To the columns in Incident Review for our SOC to use.

However, I can't find the proper attribute name for this and it's not in the notable index, or in notable_xref_lookup or es_notable_events lookup.

Hoping someone can tell me what the correct "Short ID" attribute name is.

Also hoping someone can tell me how to force ES to create a Short ID for EVERY notable.

Thanks in Advance!

daventura · ‎01-10-2023

under incident review settings table attributes enter

notable_xref as the field and Short ID as the title

Also you should schedule a search to run every 5 minutes */5 * * * *

to automatically create the short id's, this is most helpful

`notable`
| where isnull(notable_xref)
| eval notable_time=_time, xref_label="Short ID", xref_name="short_id", xref_id="V".substr(upper(md5(event_id)), 0, 5)
| table event_id, notable_time, xref_id, xref_label, xref_name
| outputlookup append=t notable_xref_lookup

Enterprise Security -> Customizing Incident Review -> Adding Short ID

access control

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation