Splunk Enterprise Security

Configuring "additional fields" for a notable event in Enterprise Security (ES)

Path Finder

I'm creating correlation searches from scratch in the latest version of ES. The search results include fields that don't show up in the notable event (in the incident review dashboard). I'd like these fields to show up in the body of the event when it's expanded using the "view details" link. Correlation searches included out of the box generate notable events that have lots of helpful fields and I'd like to add this type of content to my new correlation searches.

Can anyone tell me how to do that? Haven't seen anything in the documentation.

Thanks!

1 Solution

Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

View solution in original post

Communicator

In Splunk 6.4 ES 4.1.1 (and probably earlier versions), you can add fields to the Incident Review Event Attributes by selecting:

From the ES app - Configure > Incident Management > Incident Review Settings

From this window you can view the current IR Event Attributes and add new ones by clicking the "add new entry" button.

I've found this to be a simple and easy to use approach to adding fields to the Incident Review alert.

Splunk Employee
Splunk Employee

The answer that mentions editing of notable2.html is no longer valid in recent versions (3.x) of ES. Instead, copy to local and edit log_review.conf, under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/. Place your new field in the log_review.conf file, which should now reside in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local. A restart is not needed.

Influencer

@jbrodsky

what is the expected format of this? - I haven't found any documentation on this yet.

I have added some field names as their own stanzas, however, it is not generating in Incident Review.

How do you map the field names to the meaningful names (i.e. like the defaults; e.g. dest maps to Destination)?

0 Karma

Splunk Employee
Splunk Employee

The format is a list of JSON objects. The "field" attribute is the name of the field in the search, and the "label" is the string used to preface the value.

0 Karma

Path Finder

Doing more research, I may have answered my own question. It looks like the method described in http://answers.splunk.com/answers/100738/customizing-fields-in-incident-review-tickets.html for doing this is ES 2.4 may still be valid. To rehash:

At the end of the correlation search, add "| `map_notable_fields`" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".

Note that this second part is a global configuration change to ES, not just the specific correlation search. It's covered in the FAQ of the version 2.4 user manual, but isn't included in current documentation as far as I can tell. http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Will mark this answer correct if testing is successful.

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!