Solved: How to achieve custom fields in incident review da...

gcusello · ‎11-25-2022

Hi at all,

I tried to customize the Incident Review Dashboard to display some additional fields as user, src or dest, as described in the Enterprise Security Admin course.

At first I found that to have these fields in the Additional Fields, I must add them also to the main dashboard columns, otherwise the additional field isn't displayed, and this is already something not documented.

But the problem is that this field is displayed only for some Notables and not for all (as i waited),
I also found that the src field is present in all the Notables (except risk based notables), instead user and dest (the most important is user that should be always present) sometimes are present and sometimes not.
I supposed that the issue was in the Correlation Search that doesn't add this field to the Notable but opening the Notable with the contributing events link the field is always present.

Had someone else experienced this issue?

Thank you for your attention.
Ciao.
Giuseppe

gcusello · ‎01-29-2023

Hi at all,

the solution was to modify Correlation Searches to have the fields to display in the Notable events.

Thanks to Splunk Support.

ciao.

Giuseppe

View solution in original post

gcusello · ‎01-29-2023

Hi at all,

the solution was to modify Correlation Searches to have the fields to display in the Notable events.

Thanks to Splunk Support.

ciao.

Giuseppe

How to achieve custom fields in incident review dashboard?

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases