Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Drill-down and Next Step are not read in Incident Review

zksvc
Path Finder
‎10-30-2024 08:21 PM

Hi There, 

I got issue Drill-down and Next Step are not read in Incident Review, i create Splunk Lab for Research And Development by myself. I just install Splunk Enterprise and Enterprise Security (nothing another external apps) and i ingest DVWA to my Splunk. As you know DVWA has various vulnerabilities, and I want to utilize this as a log that I will then manage in Splunk. Therefore, I made a rule regarding uploading inappropriate files. The query is like this 

 

index=lab_web sourcetype="apache:access" 
| rex field=_raw "\[(?<Time>[^\]]+)\] \"(?<Method>\w+) (?<Path>/DVWA/vulnerabilities/upload/[^/]+\.\w+) HTTP/1.1\" (?<Status>\d{3}) \d+ \"(?<Referer>[^\"]+)\" \"(?<UserAgent>[^\"]+)\""
| eval FileName = mvindex(split(Path, "/"), -1)
| eval FullPath = "http://localhost" . Path
| where match(FileName, "\.(?!jpeg$|png$)[a-zA-Z0-9]+$")
| table Time, FileName, FullPath, Status

 

In that correlation, I added notables that were filled in from the drill-down and also the next step. 

zksvc_0-1730344214222.png

But why when I enter the incident review, the drill-down and next steps that I created are not readable?

zksvc_1-1730344526884.png

Maybe there is an application that I haven't installed or something else?

I will attach my full correlation setting include with notable, drill-down, and Next Steps.

 

Splunk Enterprise Version : 9.3.1

Enterprise Security Version : 7.3.2

Preview file
1760 KB
0 Karma
Reply

meetmshah
Builder
‎11-24-2024 02:09 AM

Hello @zksvc Was the notable created after you updated the next actions - or was it already generated and later you updated the Correlation Search?

0 Karma
Reply

zksvc
Path Finder
‎11-25-2024 01:45 AM

I create notable manually and i update next actions at the same time when i create notable

0 Karma
Reply

zksvc
Path Finder
‎11-13-2024 10:51 PM

Anyone don't have same problem here ? 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...