Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create monthly report about notables from Enterprise Security

KKuser
Path Finder
3 weeks ago

I'm trying to create a report that includes the following information and want to schedule it to run monthly. I need to know how can I gather the information from Splunk.

  • How many events are observed by Splunk for a month? Of those, how many are internal Splunk events ? How many events are from log sources?
  • Total number of notables observed by month
  • Classification of notables based on severity
  • What is the notable generation time?
  • what is the time the notable was assigned to analyst?
  • what is the time the analyst responded to the notable and what was the response?
  • what time was the notable closed?

 

As of now I'm going through the `notable`, but need more information as to how this can be navigated. Your comments would be appreciated.

 

Thanks

0 Karma
Reply

livehybrid
Influencer
3 weeks ago

Hi @KKuser 

For the first, are you wanting to know the number of raw events Splunk searched by Enterprise Security in order to produce your notables? If so, something llike this should work but may need modifying to meet your needs:

index=_audit search=* info=completed action=search savedsearch_name=* provenance=scheduler (app=SplunkEnterpriseSecuritySuite OR app=SA-*)
| timechart span=1d sum(event_count) as events_scanned sum(result_count) as results_found

Regarding your other points, I think it would be best to check out Analytics->Executive Summary dashboard from within Enterprise Security as I think this covers what you are looking for, this dashboard can be cloned and tweaked to your needs. 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

KKuser
Path Finder
3 weeks ago

I'm able to see the 'Mean time to resolution' field in the dashboard. But apart from that I'm unable to find other data points I'm looking for in the dashboard that you are referring to.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
3 weeks ago

@KKuser- I don't know if it would be possible to get the first request, rest of the requests mostly available by default on latest Enterprise Securities default dashboards. You can get the queries for the reports from these default Enterprise Security dashboards.

 

I hope this helps!!!

0 Karma
Reply

KKuser
Path Finder
3 weeks ago

I'm using an old version of enterprise security. Unfortuntaley there's not a lot of dashboard information that I can see. 

It'd be great if you can share the SPL queries or references to see where I can find the information. 

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top