Splunk Enterprise Security

Configuring "additional fields" for a notable event in Enterprise Security (ES)

PrinceOfEval
Path Finder

I'm creating correlation searches from scratch in the latest version of ES. The search results include fields that don't show up in the notable event (in the incident review dashboard). I'd like these fields to show up in the body of the event when it's expanded using the "view details" link. Correlation searches included out of the box generate notable events that have lots of helpful fields and I'd like to add this type of content to my new correlation searches.

Can anyone tell me how to do that? Haven't seen anything in the documentation.

Thanks!

1 Solution

PrinceOfEval
Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

View solution in original post

sheamus69
Communicator

In Splunk 6.4 ES 4.1.1 (and probably earlier versions), you can add fields to the Incident Review Event Attributes by selecting:

From the ES app - Configure > Incident Management > Incident Review Settings

From this window you can view the current IR Event Attributes and add new ones by clicking the "add new entry" button.

I've found this to be a simple and easy to use approach to adding fields to the Incident Review alert.

jbrodsky_splunk
Splunk Employee
Splunk Employee

The answer that mentions editing of notable2.html is no longer valid in recent versions (3.x) of ES. Instead, copy to local and edit log_review.conf, under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/. Place your new field in the log_review.conf file, which should now reside in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local. A restart is not needed.

MHibbin
Influencer

@jbrodsky

what is the expected format of this? - I haven't found any documentation on this yet.

I have added some field names as their own stanzas, however, it is not generating in Incident Review.

How do you map the field names to the meaningful names (i.e. like the defaults; e.g. dest maps to Destination)?

0 Karma

sowings
Splunk Employee
Splunk Employee

The format is a list of JSON objects. The "field" attribute is the name of the field in the search, and the "label" is the string used to preface the value.

0 Karma

PrinceOfEval
Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...