Splunk Enterprise Security

How can I run a search that shows the time notable events were created, were assigned and then closed in ES?

ezmo1982
Path Finder

Hi,

I am trying to figure out a way in which i can display the creation time of notable event, the time it was assigned to someone, and then the time the status was set to Closed. I would then like to list the time difference between all 3 - it is for SLA purposes in our SOC.

Note: When notables are created in my environment, the default status is "New"

Seen some examples that produce the mean/average closure time for notables etc, but I am looking for a search that will show it for every notable created (say within the last 24 hours for example)

Any help would be much appreciated!

 

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...