Splunk Enterprise Security

Any way to change the default owner of a notable dynamically?

GOB_Bluth
Explorer

We would like to dynamically assign an owner of a notable event?

Our soc would like to round robin the incoming events, does anyone know of a way to do this or

0 Karma
1 Solution

DMohn
Motivator

This cannot be done in the moment of the event creation. However, you could implement a saved search, that modifies the corresponding KV store lookup (es_notable_events) and assigns a owner there.

I could imagine doing it the following way:
- create a lookup table containing the usernames of the SOC analysts that should have tickets assigned, and a ID for them
- create another lookup table containing the ID of the last user, that had a ticket assigned
- get the latest created notable events (see lookup table mentioned above)
- get the ID of the user that had a ticket assigned last
- cycle through your anaylst lookup, and alter the es_notable_events lookup by assigning an analyst to each unassigned ticket
- schedule this search to run every 5 mins or so

This might need some tuning to make it work for your case, but I assume the basic principle should be okay...

View solution in original post

0 Karma

doksu
SplunkTrust
SplunkTrust

This can now be done easily via SPL using https://splunkbase.splunk.com/app/5211/

WRT to the round-robining, a simple way to do this might be to have a lookup with all the analysts and a field indicating the last time a notable was assigned to them (in epoch time). This would be used in your search with the app above to both update the lookup and figure out who is next to have a notable assigned.

0 Karma

DMohn
Motivator

This cannot be done in the moment of the event creation. However, you could implement a saved search, that modifies the corresponding KV store lookup (es_notable_events) and assigns a owner there.

I could imagine doing it the following way:
- create a lookup table containing the usernames of the SOC analysts that should have tickets assigned, and a ID for them
- create another lookup table containing the ID of the last user, that had a ticket assigned
- get the latest created notable events (see lookup table mentioned above)
- get the ID of the user that had a ticket assigned last
- cycle through your anaylst lookup, and alter the es_notable_events lookup by assigning an analyst to each unassigned ticket
- schedule this search to run every 5 mins or so

This might need some tuning to make it work for your case, but I assume the basic principle should be okay...

0 Karma

GOB_Bluth
Explorer

This sounds like a very plausible idea. It looks like ES provides a rest endpoint to do something similar.

I would like to suggest this be added to product road map for future updates, soc environments are challenging and dynamic with a variety of staff and skill levels. ES needs to do better to meet these challenges. Currently we are just picking things out of a queue which is kind of silly.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

At the moment, assignment of notable is done outside the notable creation. So, not sure if there is any automated way. Having said that, if an analyst is off/sick/away, how do you then assign the notables to 'owners/analysts'?

you may end-up creating a process/job to look for open/un-assigned notable and assign them based on a lookup of active 'owners' for that day of the week.

0 Karma

GOB_Bluth
Explorer

thank you

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>