Splunk Enterprise Security

How to pull the data from Splunk Security Incident Review Description column?

Path Finder

I am trying to pull all the information from Splunk Security Incident Review Description column.

Please see the attachment.

I need to pull values corresponding to "Destination Business Unit " , "Destination category" ,....................., "Source PCI Domain".

alt text

0 Karma

Champion

The official way to do this is to use the notable macro in search (no leading pipe is necessary).

The content you want will be in the 'description' field. Note that the description field is dynamically created by replacing the field names in the 'rule_description' field.

See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more information.

0 Karma

SplunkTrust
SplunkTrust

You can get them from index=notable OR by running search using the notable macro

You would need to ensure the assets are having bunit, category, domain fields populated as per your organization and they are linked (available) in the correlation search that produces the notable/incident (seen in the Incident review screen).

0 Karma

Path Finder

How can i relate the incident seens in Incident tab to the notable.
I don't see event_id field from incident been locked to notable index.

0 Karma

SplunkTrust
SplunkTrust

you can run the below and look for other rule_*, sid fields to enrich your need

`notable` | table _time, source, rule_id, event_id
0 Karma