Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pull the data from Splunk Security Incident Review Description column?

ajaylowes
Path Finder
‎03-19-2019 06:31 AM

I am trying to pull all the information from Splunk Security Incident Review Description column.

Please see the attachment.

I need to pull values corresponding to "Destination Business Unit " , "Destination category" ,....................., "Source PCI Domain".

alt text

Preview file
35 KB
0 Karma
Reply

LukeMurphey
Champion
‎03-19-2019 09:20 AM

The official way to do this is to use the notable macro in search (no leading pipe is necessary).

The content you want will be in the 'description' field. Note that the description field is dynamically created by replacing the field names in the 'rule_description' field.

See http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA for more information.

0 Karma
Reply

lakshman239
Influencer
‎03-19-2019 06:43 AM

You can get them from index=notable OR by running search using the notable macro

You would need to ensure the assets are having bunit, category, domain fields populated as per your organization and they are linked (available) in the correlation search that produces the notable/incident (seen in the Incident review screen).

0 Karma
Reply

ajaylowes
Path Finder
‎03-26-2019 03:13 AM

How can i relate the incident seens in Incident tab to the notable.
I don't see event_id field from incident been locked to notable index.

0 Karma
Reply

lakshman239
Influencer
‎03-26-2019 03:24 AM

you can run the below and look for other rule_*, sid fields to enrich your need

`notable` | table _time, source, rule_id, event_id
0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...