Splunk Enterprise Security

Adding Additional fields to notable events

Albert_Cyber
Explorer

I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU - Detect New Local Admin account - Rule"

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

When I run the above serach using the search and reporting app I get way more fields than what I see on the Additional Fields from the notable itself. for example, in the notable event the User field shows the SID and no other fields to idenity the actual username. To fix this I could add the field  Account_Name that shows when I  run the above serach from the search and reporting app.  I tried adding that field by going into Configure -> Incident Management -> Incidnet Review Settings -> Incident Review - Event Attributes. But it is still not showing. Am I missing something here? 

Labels (1)
Tags (1)
0 Karma
1 Solution

Albert_Cyber
Explorer

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

View solution in original post

0 Karma

meetmshah
Contributor

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma

Albert_Cyber
Explorer

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

0 Karma

meetmshah
Contributor

Hello @Albert_Cyber,

You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end)

 

If the issue is still not resolved, can you please provide below information / screenshots - 

 - Search results showing the field is available

 - Notable configuration (AR) screenshot

 - Event Attributes screenshot

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...