Splunk Enterprise Security

Configuring "additional fields" for a notable event in Enterprise Security (ES)

PrinceOfEval
Path Finder

I'm creating correlation searches from scratch in the latest version of ES. The search results include fields that don't show up in the notable event (in the incident review dashboard). I'd like these fields to show up in the body of the event when it's expanded using the "view details" link. Correlation searches included out of the box generate notable events that have lots of helpful fields and I'd like to add this type of content to my new correlation searches.

Can anyone tell me how to do that? Haven't seen anything in the documentation.

Thanks!

1 Solution

PrinceOfEval
Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

View solution in original post

sheamus69
Communicator

In Splunk 6.4 ES 4.1.1 (and probably earlier versions), you can add fields to the Incident Review Event Attributes by selecting:

From the ES app - Configure > Incident Management > Incident Review Settings

From this window you can view the current IR Event Attributes and add new ones by clicking the "add new entry" button.

I've found this to be a simple and easy to use approach to adding fields to the Incident Review alert.

jbrodsky_splunk
Splunk Employee
Splunk Employee

The answer that mentions editing of notable2.html is no longer valid in recent versions (3.x) of ES. Instead, copy to local and edit log_review.conf, under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/. Place your new field in the log_review.conf file, which should now reside in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local. A restart is not needed.

MHibbin
Influencer

@jbrodsky

what is the expected format of this? - I haven't found any documentation on this yet.

I have added some field names as their own stanzas, however, it is not generating in Incident Review.

How do you map the field names to the meaningful names (i.e. like the defaults; e.g. dest maps to Destination)?

0 Karma

sowings
Splunk Employee
Splunk Employee

The format is a list of JSON objects. The "field" attribute is the name of the field in the search, and the "label" is the string used to preface the value.

0 Karma

PrinceOfEval
Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...