Splunk Enterprise Security

How do you add an additional “Drill-down Search” in the details of a Notable Event?

joe_kraxner
Explorer

When you expand the details of a Notable Event in Enterprise Security (ES) 3.x there is a heading called “Contributing Events” that presents a link for the “drill-down search” configured in the Correlated Search that generated the Notable Event.

Does anyone know if it is possible to add an additional “Drill-down Search” to provide another drill-down or alternative search in support of the Notable event?

Thank you.

joe_kraxner
Explorer

Just released in Splunk Enterprise Security 7.2.0, this is now a feature.

  • Splunk Idea ESSID-I-67: Ability to configure multiple drill-down searches for notable

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

As far as I know, it's not possible out of the box. One workaround might be to use a workflow for a specific field that will be in your incident (but it will be available form everywhere).

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...