Splunk Enterprise Security

How to separately & automatically index drill down events of notables/incidents raised in ES

kamaljagga
Path Finder

I use the inbuilt ES  notables and incidents for creating the tickets for team to work on the issues. All the tickets are saved in separate index=notable, however the issue is that the drill down events of these notables are not saved separately. Drill down search runs on normal indexes such as windows/unix etc with shorter retention periods. Sometimes, I need those drill down events for research purpose, then i need to unfreeze the whole bucket to get one event of appropriate data. 

I want to create a new index which will store drill down events for all the notables raised automatically and then I can adjust its retention period as per my need. 

Kindly advise.  

 

0 Karma

kamaljagga
Path Finder
  1. Drill down search is created and saved while creating the correlation search. Is there a way to run the  the drill down search automatically and save results in a new index/data model etc.
  2. Notables are saved for longer duration. Auditors, sometimes are not satisfied with the incident notes and want to see raw events.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for the explanations.

Drilldowns are created when the CS is created, but they don't run until a user clicks on an event.  That's because the drilldown often uses values from the clicked event in its search.  To have a CS save all possible drilldown events would be the same as saving the data it just searched.  Since a CS may search the same data many times over the course of a day, re-saving every event searched would be very wasteful.

Would an auditor be satisfied if asked to wait a few hours for the archived bucket to be restored?

Consider making a case for different behavior at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.

kamaljagga
Path Finder

Submitted the idea. Kindly upvote.

https://ideas.splunk.com/ideas/ESSID-I-140

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How do you know what events are needed for a drilldown before the drilldown is clicked?

Why retain a notable event longer than the supporting events?  If the notable can't be investigated then there's little point in keeping it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...