Splunk Enterprise Security

Configuring "additional fields" for a notable event in Enterprise Security (ES)

PrinceOfEval
Path Finder

I'm creating correlation searches from scratch in the latest version of ES. The search results include fields that don't show up in the notable event (in the incident review dashboard). I'd like these fields to show up in the body of the event when it's expanded using the "view details" link. Correlation searches included out of the box generate notable events that have lots of helpful fields and I'd like to add this type of content to my new correlation searches.

Can anyone tell me how to do that? Haven't seen anything in the documentation.

Thanks!

1 Solution

PrinceOfEval
Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

View solution in original post

sheamus69
Communicator

In Splunk 6.4 ES 4.1.1 (and probably earlier versions), you can add fields to the Incident Review Event Attributes by selecting:

From the ES app - Configure > Incident Management > Incident Review Settings

From this window you can view the current IR Event Attributes and add new ones by clicking the "add new entry" button.

I've found this to be a simple and easy to use approach to adding fields to the Incident Review alert.

jbrodsky_splunk
Splunk Employee
Splunk Employee

The answer that mentions editing of notable2.html is no longer valid in recent versions (3.x) of ES. Instead, copy to local and edit log_review.conf, under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/. Place your new field in the log_review.conf file, which should now reside in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local. A restart is not needed.

MHibbin
Influencer

@jbrodsky

what is the expected format of this? - I haven't found any documentation on this yet.

I have added some field names as their own stanzas, however, it is not generating in Incident Review.

How do you map the field names to the meaningful names (i.e. like the defaults; e.g. dest maps to Destination)?

0 Karma

sowings
Splunk Employee
Splunk Employee

The format is a list of JSON objects. The "field" attribute is the name of the field in the search, and the "label" is the string used to preface the value.

0 Karma

PrinceOfEval
Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...