Splunk Enterprise Security

Adding to 'Additional Fields' In Incident Review

adam_dixon95
Explorer

Hi,

I'm trying to see if there's a way to add additional/custom fields in Incident Review.

Is there much room for customisation? All I've seen thus far is adding event attributes via Incident Review settings.

Sorry this is rather vague - Just looking to find ways to customize these settings on the basis of different notable events.

Thanks,

Adam.

0 Karma

lakshman239
Influencer

what sort of customization are you looking to do per notable? Have you looked at http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/ to suggest linking a ticketId to adaptive response?

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...