Splunk Enterprise Security

Help creating a table that shows Incident Review Mean Time to Triage

CodyQ
Explorer

Greetings,

I'm trying to create a table depicting something similar to the following:

Notabel Arrived Urgency rule_name Notable Assigned Reviewer Comment status_group status_label Notable Closed

1:30 am Medium Brute Force 1:45 am Smith This is xxxxx closed closed 1:56 am

I realize there are pre-built panels available in ES, but not that break down the information in this manner. Also, I realize there is a similar question already in Splunk Answers, but I wasn't able to manipulate the query to provide me with what I need, hence the question. Any help would be greatly appreciated!

0 Karma
1 Solution

CodyQ
Explorer

I was able to finally obtain the answer I needed and wanted to share the results just in case someone else might need it.

| incident_review
| rename status_label as status
| sort 4400 - _time
| table _time,rule_id,status,rule_name,owner_realname,comment,reviewer_realname
| join type=left rule_id
[ search notable
| rename _time as incident_creation_time
| convert ctime(incident_creation_time)
| stats min(incident_creation_time) as incident_creation_time by rule_id]

View solution in original post

0 Karma

CodyQ
Explorer

I was able to finally obtain the answer I needed and wanted to share the results just in case someone else might need it.

| incident_review
| rename status_label as status
| sort 4400 - _time
| table _time,rule_id,status,rule_name,owner_realname,comment,reviewer_realname
| join type=left rule_id
[ search notable
| rename _time as incident_creation_time
| convert ctime(incident_creation_time)
| stats min(incident_creation_time) as incident_creation_time by rule_id]

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@CodyQ If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Sukisen1981
Champion

you want the time diff between 1:30-1:45 am or something else?
Have you tried writing a regex with max=0 and then just getting the time difference as needed?

0 Karma

CodyQ
Explorer

Hi Sukisen,

I'm not trying to just get the time difference, but an entire table that depicts when the notable event triggered / arrived. When & who took ownership of the triggered alert, any comments they made, and when they closed it out. The time it took them to triage the alert would be a nice bonus but not really necessary. Thank you for responding and looking at my question.

0 Karma

Sukisen1981
Champion

what is the source of your table? can you pass some raw data as it looks in splunk events?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!