Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Adding Additional fields to notable events

Albert_Cyber
Explorer
‎10-06-2023 09:12 AM

I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU - Detect New Local Admin account - Rule"

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

When I run the above serach using the search and reporting app I get way more fields than what I see on the Additional Fields from the notable itself. for example, in the notable event the User field shows the SID and no other fields to idenity the actual username. To fix this I could add the field  Account_Name that shows when I  run the above serach from the search and reporting app.  I tried adding that field by going into Configure -> Incident Management -> Incidnet Review Settings -> Incident Review - Event Attributes. But it is still not showing. Am I missing something here? 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Albert_Cyber
Explorer
‎10-17-2023 10:25 AM

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎10-12-2023 11:15 PM

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply
Solved! Jump to solution
Solution

Albert_Cyber
Explorer
‎10-17-2023 10:25 AM

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

0 Karma
Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎10-07-2023 10:15 PM

Hello @Albert_Cyber,

You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end)

 

If the issue is still not resolved, can you please provide below information / screenshots - 

 - Search results showing the field is available

 - Notable configuration (AR) screenshot

 - Event Attributes screenshot

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...