Splunk Enterprise Security

How to automatically generate shortIDs to link/share notables event on the ES Incident Review dashboard?,How to automatically generate shortIDs to link and share notable events on the ES Incident Review dashboard?

Explorer

From the Incident Review dashboard > Actions is possible to Share Notable Events. To get the URL of the notable event a shortID is created on the fly. Could it be possible to automatically generate a shortID for each Notable Event?

I need the generated URL in the description field for our ticketing system. So analyst can go directly to ,

1 Solution

SplunkTrust
SplunkTrust

In principle, all you'd need to do is append a matching row to the notable_xref_lookup KV Store lookup.
I don't know if there are any pitfalls around doing that for every single notable though.

Note, you can build a direct URL based off the long-form event ID without generating a short ID. If it's just stored in a system somewhere and presented as a clickable link, the downside of an enormous string wouldn't be relevant. Make sure to also pass a reasonable time range in the URL, otherwise that search for an event ID might take ages.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

In principle, all you'd need to do is append a matching row to the notable_xref_lookup KV Store lookup.
I don't know if there are any pitfalls around doing that for every single notable though.

Note, you can build a direct URL based off the long-form event ID without generating a short ID. If it's just stored in a system somewhere and presented as a clickable link, the downside of an enormous string wouldn't be relevant. Make sure to also pass a reasonable time range in the URL, otherwise that search for an event ID might take ages.

View solution in original post

0 Karma

Engager

I am trying to do the same thing. However, I am new to Splunk and ES. Can someone tell me how to create an URL like the above?

Is it done via tokens?

Thanks so much!

0 Karma

SplunkTrust
SplunkTrust

Here's how you link back using the long-form event ID:

https://es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=1519430400&latest=151943...;

To create a short ID, you either insert a row to the notable_xref_lookup yourself, or you POST to /servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/notable_xref with the following parameters: event_id, notable_time, xref_id, xref_label, xref_name, short_id.
I wouldn't recommend that though, you'd be relying on undocumented unpublished interfaces that could change with any upgrade without notice. I'd go with the long-form URL unless you absolutely have to have a human-typeable or phone-transmittable ID.

Explorer

Thanks Martin,

Your solution works, just keeping in mind that the earliest and latest fields have to be always present in the request.

0 Karma

Explorer

I couldn't build the ULR with the actual event ID pointing to the Incident Review Dashboard. There are few ways to accomplish this as far as I know:

  1. using the short ID as unique identifier of the notable event and create the get request with the association fields: Eg. https://a.b.c.d:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?**form.association_type...
  2. passing all form fields to query an specific notable event, with the earliest and latest fields in epoch format, and the the precision of the time is very important. Otherwise, you could get 2 or more events in between the given time period (earliest and latest) >>> I really don't like this option. Eg: https://a.b.c.d:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=1519399455&lat...

So, for option 1 a Short ID have to be created (via Create Short ID or Share Notable Event). I would like to know how to automatically generate the Short ID (not clicking on it)

Any suggestions are welcome..

thanks

0 Karma