Splunk Enterprise Security

How to pull the data from Splunk Security Incident Review Description column?

ajaylowes
Path Finder

I am trying to pull all the information from Splunk Security Incident Review Description column.

Please see the attachment.

I need to pull values corresponding to "Destination Business Unit " , "Destination category" ,....................., "Source PCI Domain".

alt text

0 Karma

LukeMurphey
Champion

The official way to do this is to use the notable macro in search (no leading pipe is necessary).

The content you want will be in the 'description' field. Note that the description field is dynamically created by replacing the field names in the 'rule_description' field.

See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more information.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

You can get them from index=notable OR by running search using the notable macro

You would need to ensure the assets are having bunit, category, domain fields populated as per your organization and they are linked (available) in the correlation search that produces the notable/incident (seen in the Incident review screen).

0 Karma

ajaylowes
Path Finder

How can i relate the incident seens in Incident tab to the notable.
I don't see event_id field from incident been locked to notable index.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

you can run the below and look for other rule_*, sid fields to enrich your need

`notable` | table _time, source, rule_id, event_id
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...