Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add Notable Event to an ES Investigation using the API

dsofoulis
Path Finder
‎05-13-2024 10:16 PM

I would like to have an investigation created with a notable event recorded in there using the API.

I've been trying to achieve this by adding a notable event to an ES investigation using the API. 

So far I have been able to create an investigation and then add an artifact to it using the API.

Next step I need to complete is to insert a notable event into an ES investigation using the API. 

 

Alternatively if its possible to create an investigation from a notable using the API then I would also be happy with that option.

Labels (2)
0 Karma
Reply

obw1r3d
SplunkTrust
SplunkTrust
‎11-25-2025 05:15 PM

After much tinkering I just figured it out. It's not pretty but it worked for me. This is my "v1" if you will, *just* got it to work. There may be better ways to do it.

Ok, so here's the API call:

curl -X POST -H "Authorization: Bearer YOUR_API_TOKEN" -k 'https://splunk_es:8089/services/storage/investigation/investigation_event?output_mode=json' --data '{"event_id":"your_notable_event_id","class_name":"notable_event","parent_class":"investigation","parent_id":"your_investigation_id","parent_version":1,"version":1,"title":"your_notable_title","start_time":1763586197,"end_time":0,"comments":[],"tags":[],"sourcetype":"stash","host":"your_splunk_es_host","raw": "json_encoded_raw_contents"}'

The "start_time" is the time of creation for the notable event. To create the raw field containing all of the notable's fields, I used this Splunk search:

`notable` 
| search event_id="your_notable_event_id"
| fields - tag::eventtype
| eval raw = "" 
| foreach * 
[eval temp_field = "\"<<FIELD>>\": " . <<FIELD>>
| eval raw = mvappend(raw, temp_field) ]
| eval raw = ltrim(mvjoin(raw, ","),",")

Then in my SOAR tool I JSON-encoded the output, and used it in the API call.

The main issue I've seen so far in my testing is that the notable doesn't display properly in the investigation's timeline. I'm guessing this may be because the "raw" field isn't being properly parsed. I'll continue tinkering on my end and see if I can make it work, but for now this does seem to add the notable to the investigation, and it is reflected in the Incident Review UI as well as the Investigation's "Summary" UI. And of course the investigation API calls.

0 Karma
Reply

obw1r3d
SplunkTrust
SplunkTrust
‎12-01-2025 04:32 PM

Ok, I finally cracked it. Took entirely way too long but the below solution works: notable is added to investigation, and it is displayed properly in the investigation UI (Timeline, both Slide and List views). Splunk Enterprise 9.4.4, ES 7.3.4.

The API call is still the same as in my initial post:

curl -X POST -H "Authorization: Bearer YOUR_API_TOKEN" -k 'https://splunk_es:8089/services/storage/investigation/investigation_event?output_mode=json' --data '{"event_id":"your_notable_event_id","class_name":"notable_event","parent_class":"investigation","parent_id":"your_investigation_id","parent_version":1,"version":1,"title":"your_notable_title","start_time":1763586197,"end_time":0,"comments":[],"tags":[],"sourcetype":"stash","host":"your_splunk_es_host","raw": "json_encoded_raw_contents"}'

The "start_time" is the time of creation for the notable event. To create the raw field containing the necessary fields, I used the below search. 

 

`notable` 
| search event_id="your_notable_event_id"
| eval raw = replace(_raw,"\"", "\\\"")
| eval raw = "\"_raw\":[\"" . raw . "\"]"
| eval bkt = "\"_bkt\":[\"" . _bkt . "\"]"
| eval cd = "\"_cd\":[\"" . _cd . "\"]"
| eval eventtype_color = "\"_eventtype_color\":[\"" . _eventtype_color . "\"]"
| eval indextime = "\"_indextime\":[\"" . _indextime . "\"]"
| eval serial = "\"_serial\":[\"" . _serial . "\"]"
| eval sourcetype_internal = "\"_sourcetype\":[\"" . _sourcetype . "\"]"
| eval eventtype = "\"eventtype\":[\"modnotable_results\",\"notable\"]"
| foreach _time disposition disposition_default disposition_description disposition_label event_hash event_id host index indexer_guid notable_type owner owner_realname rule_description rule_id rule_name rule_title security_domain source sourcetype status status_default status_label urgency
[eval <<FIELD>> = "\"<<FIELD>>\":[\"" . <<FIELD>> . "\"]"]
| eval raw = "{" . bkt . "," . cd . "," . eventtype_color . "," . indextime . "," . raw . "," . serial . "," . sourcetype_internal . "," . _time . "," . disposition . "," . disposition_default . "," . disposition_description . "," . disposition_label . "," . event_hash . "," . event_id . "," . eventtype . "," . host . "," . index . "," . indexer_guid . "," . notable_type . "," . owner . "," . owner_realname . "," . rule_description . "," . rule_id . "," . rule_name . "," . rule_title . "," . security_domain . "," . source . "," . sourcetype . "," . status . "," . status_default . "," . status_label . "," . urgency . "}"

 

The "raw" field is what you'll want to encode so that you can then stick into the API call without getting parsing errors. In my case I put it through my SOAR tool before making the API call. 

Note that I only include a subset of fields from my notables in "raw". I don't care about things like annotations and things like that going to the investigations at this time. I also include a bunch of fields that you may not care about, so feel free to trim down as necessary. For the notable to display correctly in the Timeline slide view (in Overview), you'll need at least these fields: urgency, status_label, owner_realname, rule_description, event_id, event_hash, eventtype. 

 

Hope that helps!

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-13-2024 11:34 PM

@dsofoulis - You can use "Investigation Event" endpoint from "Investigation API", it should be very similar to how you are adding Artifact.

Here is the full reference - https://docs.splunk.com/Documentation/ES/7.3.1/API/InvestigationAPIreference

VatsalJagani_0-1715668423897.png

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply

dsofoulis
Path Finder
‎05-13-2024 11:37 PM

Yeah that’s the document I’ve been following. I’ve tried many different combinations and so far nothing has worked.

are you able to share the correct api query to use?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-14-2024 10:03 AM

I have not personally tried this API, but based on API Doc, you can try and then ask follow up question based on errors it is generating.

 

Or you can even create Splunk Support ticket if something is not working as described in the Doc.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...