Splunk Enterprise Security

Drill-down and Next Step are not read in Incident Review

zksvc
Contributor

Hi There, 

I got issue Drill-down and Next Step are not read in Incident Review, i create Splunk Lab for Research And Development by myself. I just install Splunk Enterprise and Enterprise Security (nothing another external apps) and i ingest DVWA to my Splunk. As you know DVWA has various vulnerabilities, and I want to utilize this as a log that I will then manage in Splunk. Therefore, I made a rule regarding uploading inappropriate files. The query is like this 

 

index=lab_web sourcetype="apache:access" 
| rex field=_raw "\[(?<Time>[^\]]+)\] \"(?<Method>\w+) (?<Path>/DVWA/vulnerabilities/upload/[^/]+\.\w+) HTTP/1.1\" (?<Status>\d{3}) \d+ \"(?<Referer>[^\"]+)\" \"(?<UserAgent>[^\"]+)\""
| eval FileName = mvindex(split(Path, "/"), -1)
| eval FullPath = "http://localhost" . Path
| where match(FileName, "\.(?!jpeg$|png$)[a-zA-Z0-9]+$")
| table Time, FileName, FullPath, Status

 

In that correlation, I added notables that were filled in from the drill-down and also the next step. 

zksvc_0-1730344214222.png

But why when I enter the incident review, the drill-down and next steps that I created are not readable?

zksvc_1-1730344526884.png

Maybe there is an application that I haven't installed or something else?

I will attach my full correlation setting include with notable, drill-down, and Next Steps.

 

Splunk Enterprise Version : 9.3.1

Enterprise Security Version : 7.3.2

0 Karma

meetmshah
SplunkTrust
SplunkTrust

Hello @zksvc Was the notable created after you updated the next actions - or was it already generated and later you updated the Correlation Search?

0 Karma

zksvc
Contributor

I create notable manually and i update next actions at the same time when i create notable

0 Karma

zksvc
Contributor

Anyone don't have same problem here ? 

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...