Splunk Enterprise Security

ES : Why is time range picker not working for incident_review macro?

neerajs_81
Builder

Hello,  In ES when we run the following macro for Last 30 mins or Last 24 H time range,  splunk ends up displaying results from all the way back in time as in last 6 months data as well.  Why is that so ?  Its as if its completely ignores the date/time range whatever we specify.   BTW,  This is Out of the box macro.  

 

 

 

|`incident_review`
| table _time owner rule_id rule_name status_label

 

 

 

  
My requirement is to show  the Notables triggered based on the date range we select.
Secondly, does anyone know how to show  Number of Incidents (Notable alerts) worked on by each SOC analyst ?   Basically i m trying to generate performance metrics of each analyst, how many alerts they worked on, time to close each alert etc, details of each status change etc.    The default provided SOC operations dashboard sucks.

Labels (2)
0 Karma
1 Solution

chaker
Contributor

I added some fields at the end of the table to show the day, hour and year. You can make more  using the time variables here: 
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Commontimeformatvariables

 

| inputlookup append=T incident_review_lookup
| rename user as reviewer
| lookup update=true user_realnames_lookup user as "owner" OUTPUTNEW realname as "owner_realname"
| eval "owner_realname"=if(isnull('owner_realname'),'owner','owner_realname')
| lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname"
| eval "reviewer_realname"=if(isnull('reviewer_realname'),'reviewer','reviewer_realname')
| eval nullstatus=if(isnull(status),"true","false")
| eval temp_status=if(isnull(status),-1,status)
| lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end
| eval status=if(isnull(status_label),0,status),status_label=if(isnull(status_label),"Unassigned",status_label),status_description=if(isnull(status_description),"unknown",status_description),"status_default"=case(match('status_default', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_default', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_default'),"status_end"=case(match('status_end', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_end', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_end'),status_group=case(status_default=="true","New",status_end=="true","Closed",status=0,"New",1=1,"Open")
| fields - temp_status
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status)
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label)
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description)
| eval _time=time
| fields - nullstatus
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval eventDay=strftime(_time,"%A")
| eval eventYear=strftime(_time,"%Y")
| table _time owner rule_id rule_name status_label eventHour eventDay eventMin eventYear

 

View solution in original post

0 Karma

neerajs_81
Builder

Thanks a lot. Appreciate it

0 Karma

chaker
Contributor

To your second question, have you tried the Incident Review Audit report on the Audit menu?

en-US/app/SplunkEnterpriseSecuritySuite/incident_review_audit

chaker
Contributor

I added some fields at the end of the table to show the day, hour and year. You can make more  using the time variables here: 
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Commontimeformatvariables

 

| inputlookup append=T incident_review_lookup
| rename user as reviewer
| lookup update=true user_realnames_lookup user as "owner" OUTPUTNEW realname as "owner_realname"
| eval "owner_realname"=if(isnull('owner_realname'),'owner','owner_realname')
| lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname"
| eval "reviewer_realname"=if(isnull('reviewer_realname'),'reviewer','reviewer_realname')
| eval nullstatus=if(isnull(status),"true","false")
| eval temp_status=if(isnull(status),-1,status)
| lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end
| eval status=if(isnull(status_label),0,status),status_label=if(isnull(status_label),"Unassigned",status_label),status_description=if(isnull(status_description),"unknown",status_description),"status_default"=case(match('status_default', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_default', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_default'),"status_end"=case(match('status_end', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_end', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_end'),status_group=case(status_default=="true","New",status_end=="true","Closed",status=0,"New",1=1,"Open")
| fields - temp_status
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status)
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label)
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description)
| eval _time=time
| fields - nullstatus
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval eventDay=strftime(_time,"%A")
| eval eventYear=strftime(_time,"%Y")
| table _time owner rule_id rule_name status_label eventHour eventDay eventMin eventYear

 

0 Karma

chaker
Contributor

If you press CTRL SHIFT E on that search you will see the macro fully expanded.

It's just a bunch of lookups, and the timerange picker only works on _time. 

Notice at the end of the search there is an eval for time?

| eval _time=time

You can use that with some tokens on a dashboard or manually add filters to the search for _time.

 

Does that help?

0 Karma

neerajs_81
Builder

Hi, i have marked your search as Solution but i am noticing that even if i run it with a Time range of last 24h,  it still ends up dumping out everything.  It does not show me the data specific to whatever date filter i have selected.   I misunderstood then.  How am i supposed to pass on the time filter to this macro if there is |eval _time=time at the bottom ?

neerajs_81_0-1659070961152.png

 

0 Karma

chaker
Contributor

What are you trying to do with this macro? 

The Incident Review dashboard in ES will let you use the time range picker to filter notable events. Plus you could setup a time range and other conditoin like status=resolved and save it as a filter.

/en-US/app/SplunkEnterpriseSecuritySuite/incident_review

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...