Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding Additional fields to notable events

Albert_Cyber
Explorer
‎10-06-2023 09:12 AM

I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU - Detect New Local Admin account - Rule"

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

When I run the above serach using the search and reporting app I get way more fields than what I see on the Additional Fields from the notable itself. for example, in the notable event the User field shows the SID and no other fields to idenity the actual username. To fix this I could add the field  Account_Name that shows when I  run the above serach from the search and reporting app.  I tried adding that field by going into Configure -> Incident Management -> Incidnet Review Settings -> Incident Review - Event Attributes. But it is still not showing. Am I missing something here? 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Albert_Cyber
Explorer
‎10-17-2023 10:25 AM

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎10-12-2023 11:15 PM

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply
Solved! Jump to solution
Solution

Albert_Cyber
Explorer
‎10-17-2023 10:25 AM

Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)

0 Karma
Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎10-07-2023 10:15 PM

Hello @Albert_Cyber,

You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end)

 

If the issue is still not resolved, can you please provide below information / screenshots - 

 - Search results showing the field is available

 - Notable configuration (AR) screenshot

 - Event Attributes screenshot

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...