Re: In Splunk Enterprise Security, how do I add a ...

mas · ‎10-08-2018

Hi,

One of my customers asked to add a field to the "Edit notable event" popup form in Splunk ES 5.1.1. To be more precise, customer wants an "Incident category" field, that must be populated by Security Analyst, picking up a choice from a restricted set of values (something very similar to "Status" field).

I know that I can add a "table attribute" using incident review customization page, but:
- incident category is not associated to a field in originating event (it is classified by Security Analyst);
- incident category values must be selected using a drop-down, from a restricted set of values.

Do you have any suggestions?

Thank you!

gworkun · ‎12-10-2018

Would love to see if this ever gets added or is a way to add editable fields to notables.

alekwisnia · ‎07-22-2020

+1 if anyone finds a solution. This is a must-have feature of SIEM - if anyone wants to report accordingly to NIST or ENISA standards of incident classification.

In Splunk Enterprise Security, how do I add a New field in an "Edit notable event" popup form?

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

In Splunk Enterprise Security, how do I add a New field in an "Edit notable event" popup form?

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...