Splunk Enterprise Security

Adding Additional fields to notable events

Albert_Cyber
Explorer

I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU - Detect New Local Admin account - Rule"

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

When I run the above serach using the search and reporting app I get way more fields than what I see on the Additional Fields from the notable itself. for example, in the notable event the User field shows the SID and no other fields to idenity the actual username. To fix this I could add the field  Account_Name that shows when I  run the above serach from the search and reporting app.  I tried adding that field by going into Configure -> Incident Management -> Incidnet Review Settings -> Incident Review - Event Attributes. But it is still not showing. Am I missing something here? 

Labels (1)
Tags (1)
0 Karma
1 Solution

Albert_Cyber
Explorer

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

View solution in original post

0 Karma

meetmshah
Contributor

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma

Albert_Cyber
Explorer

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

0 Karma

meetmshah
Contributor

Hello @Albert_Cyber,

You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end)

 

If the issue is still not resolved, can you please provide below information / screenshots - 

 - Search results showing the field is available

 - Notable configuration (AR) screenshot

 - Event Attributes screenshot

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...