From the Incident Review dashboard > Actions is possible to Share Notable Events. To get the URL of the notable event a shortID is created on the fly. Could it be possible to automatically generate a shortID for each Notable Event?
I need the generated URL in the description field for our ticketing system. So analyst can go directly to ,
In principle, all you'd need to do is append a matching row to the notable_xref_lookup
KV Store lookup.
I don't know if there are any pitfalls around doing that for every single notable though.
Note, you can build a direct URL based off the long-form event ID without generating a short ID. If it's just stored in a system somewhere and presented as a clickable link, the downside of an enormous string wouldn't be relevant. Make sure to also pass a reasonable time range in the URL, otherwise that search for an event ID might take ages.
In principle, all you'd need to do is append a matching row to the notable_xref_lookup
KV Store lookup.
I don't know if there are any pitfalls around doing that for every single notable though.
Note, you can build a direct URL based off the long-form event ID without generating a short ID. If it's just stored in a system somewhere and presented as a clickable link, the downside of an enormous string wouldn't be relevant. Make sure to also pass a reasonable time range in the URL, otherwise that search for an event ID might take ages.
I am trying to do the same thing. However, I am new to Splunk and ES. Can someone tell me how to create an URL like the above?
Is it done via tokens?
Thanks so much!
Here's how you link back using the long-form event ID:
https://es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=1519430400&latest=151943...;
To create a short ID, you either insert a row to the notable_xref_lookup
yourself, or you POST to /servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/notable_xref
with the following parameters: event_id
, notable_time
, xref_id
, xref_label
, xref_name
, short_id
.
I wouldn't recommend that though, you'd be relying on undocumented unpublished interfaces that could change with any upgrade without notice. I'd go with the long-form URL unless you absolutely have to have a human-typeable or phone-transmittable ID.
Thanks Martin,
Your solution works, just keeping in mind that the earliest and latest fields have to be always present in the request.
I couldn't build the ULR with the actual event ID pointing to the Incident Review Dashboard. There are few ways to accomplish this as far as I know:
So, for option 1 a Short ID have to be created (via Create Short ID or Share Notable Event). I would like to know how to automatically generate the Short ID (not clicking on it)
Any suggestions are welcome..
thanks