- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Adding Additional fields to notable events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU - Detect New Local Admin account - Rule"
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`
When I run the above serach using the search and reporting app I get way more fields than what I see on the Additional Fields from the notable itself. for example, in the notable event the User field shows the SID and no other fields to idenity the actual username. To fix this I could add the field Account_Name that shows when I run the above serach from the search and reporting app. I tried adding that field by going into Configure -> Incident Management -> Incidnet Review Settings -> Incident Review - Event Attributes. But it is still not showing. Am I missing something here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Just checking through if the issue was resolved or you have any further questions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi meetmshah thanks for the follow up! I was able to fix this issue by adding this agurment to the search values(field_name)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Albert_Cyber,
You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end)
If the issue is still not resolved, can you please provide below information / screenshots -
- Search results showing the field is available
- Notable configuration (AR) screenshot
- Event Attributes screenshot
Routing logs with Splunk OTel Collector for Kubernetes
New This Month - Observability Updates Give Extended Visibility and Improve User ...
Intro to Splunk Synthetic Monitoring
