Splunk Enterprise Security

In Splunk Enterprise Security, how do I add a New field in an "Edit notable event" popup form?

Path Finder

Hi,

One of my customers asked to add a field to the "Edit notable event" popup form in Splunk ES 5.1.1. To be more precise, customer wants an "Incident category" field, that must be populated by Security Analyst, picking up a choice from a restricted set of values (something very similar to "Status" field).

I know that I can add a "table attribute" using incident review customization page, but:
- incident category is not associated to a field in originating event (it is classified by Security Analyst);
- incident category values must be selected using a drop-down, from a restricted set of values.

Do you have any suggestions?

Thank you!

Explorer

Would love to see if this ever gets added or is a way to add editable fields to notables.

0 Karma

Explorer

+1 if anyone finds a solution. This is a must-have feature of SIEM - if anyone wants to report accordingly to NIST or ENISA standards of incident classification.

0 Karma