How to search Notable Events By Owner and Severity...

deodeshm · ‎06-08-2022

As I understand es_notable_events is KVStore and it stores notable event information for last 48 hours/ also there is a panel in ES Audit dashboard that shows Notable Events By Owner - Last 48 Hours.

Is there any way to build a similar chart for older Notables?

Thanks,

Deovrat

aasabatini · ‎06-09-2022

Hi @deodeshm

Also notable events are stored in notable index.

you can see the notable info with this search.

search `notable`  | eval rule_name=if(isnull(rule_name),source,rule_name) | eval rule_title=if(isnull(rule_title),rule_name,rule_title) | `get_urgency` | `risk_correlation` | eval rule_description=if(isnull(rule_description),source,rule_description) | eval security_domain=if(isnull(security_domain),source,security_domain) | expandtoken

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

How to search Notable Events By Owner and Severity older than 48 hours?

correlation search

notable event

using Enterprise Security

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?