Good afternoon @ljvc. Could you provide some direction on how you're accessing the mc_notes collection from within the Mission Control app? Struggling to find this.

Hi @randoj ! 

We just created a lookup definition manually in a local/transforms.conf, as you would with any other KV Store lookup.
Additionally, we needed to do the same for the mc_incidents collection, as it is needed to correlate notable_ids and incident_ids, the latter of which are used in mc_notes.

It probably is easier to access the collections using the Python SDK and scripts, but this solution worked for us and required less setup.

Hope this helps!

Hi,

Thanks for your help in solving this issue. Here is my solution :

Create the lookup definition in missioncontrol/local/transforms.conf for mc_notes :

[mc_notes_lookup]
collection = mc_notes
external_type = kvstore
fields_list = ai_generated,content,create_time,files,incident_id,last_edited_by,source,source_type,title,update_time,_key

Comments can then be corelated with notables :

`notable`
|eval `get_event_id_meval`,rule_id=event_id
|lookup mc_findings_lookup notable_id AS event_id OUTPUT _key AS incident_id
|lookup mc_notes_lookup incident_id OUTPUT content AS comment

Hope this helps.

@ljvc I appreciate the information, this is helpful. Would you be able to share your transforms.conf files against the mc_incidents and mc_notes collections? I'd like to better understand how that correlation with incident_id is happening between the collections and dumping it into something readable in a lookup.

@randoj unfortunately, I cannot share the exact files. However, you should be able to get the incident id for each finding using its calculated rule_id (compare the eval statement for rule_id/event_id in [Incident Review - Main] in SA-ThreatIntelligence/default/savedsearches.conf) via the mc_incidents collection, which has a field notable_id iirc. Then, use that id as a key against the mc_notes collection, and you can get notes for findings. Hope this clears things up a bit!

@ljvc I appreciate the information you were able to provide, this is helpful. On a side note I do have an active case open with Splunk support on this topic. Their latest update was that this has been a reported issue, and that they expect it to be addressed in ES 8.2 per an internal JIRA ticket.

Download Splunk App for Lookup File Editing app. Nn Lookups menu, select All and search for mc_notes. On Actions menu, click the magnifier button to search the mc_notes lookup. A prompt will show up asking you to create a lookup transform. Add the name that you want and click Create transform.

Open a new search and search | inputlookup mc_notes to show mv_notes content.

Hi, 

Following up on the above discussion, has anyone else discovered that there are quite a few instances where the "incident_id" field is blank in the mc_notes lookup?
The other fields (autor.username, create_time and content) contain the correct information but there is nothing in incident_id.

Makes it a bit difficult to match the note to the corresponding incident 🙂

For some reason as I see in case of updates of the old events Splunk writes the change into the _audit index. You can access to it by this search

index=_audit source=mc_notes 
| rex "(?<timestamp>[\d.]+),(?<incident_id>[\w-]+),(?<user>[\w_]+),(?<model>[\w]+),(?<command>[\w]+),(?<diff>.+)" 
| eval time=_time 
| table time, user, incident_id, diff, command 
| rex field=diff mode=sed "s/\\\\//g" 
| rex field=diff mode=sed "s/^\"//g" 
| rex field=diff mode=sed "s/\"$//g" 
| spath input=diff

@ljvc are you able to share any more details on your solution? Struggling to figure out how to get all the comments in a single report. thanks in advance! 

Hi there! We ultimately implemented a custom command to query the missioncontrol API based on the event_id for each finding. This returns all relevant notes. You can use the usual service object the custom command classes provide to formulate GET requests to the ES API using its service.get() function while passign along information from each event you're looking to report on.

As mentioned above, the best way to understand the necessary requests is to just follow along with the requests contents when using the ES UI with your browser, in addition to the documentation in the missioncontrol app. For custom commands and the service object, check the custom command examples in splunk dev and the splunk SDK documentation respectively.

Hope this helps, best of luck with your implementation!