Splunk Enterprise Security

ES - Notables | fetch correlated/contributing events for the triggered time in search app

CryoHydra
Path Finder

Hi,

In incident review dashboard i have assigned some notables to me, instead of reviewing one by one i wanted to review events for all notables in single attempt through search app.

e.g) Notable for excessive firewall deny rule - triggered for the time period 1AM to 5AM --> i need to review correlated/contributing events by opening the incident

e.g) excessive failed logon - triggered for 3AM to 8AM

both notable in incident review dash board is assigned to me and based on search properties i can get all notables assigned to me (search query) and can be used in search app, however i want to fetch contributing events for the notable in search app itself based on triggered time ? how can we go over this ?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...