Splunk Enterprise Security

In Splunk Enterprise Security, how do I add a New field in an "Edit notable event" popup form?

mas
Path Finder

Hi,

One of my customers asked to add a field to the "Edit notable event" popup form in Splunk ES 5.1.1. To be more precise, customer wants an "Incident category" field, that must be populated by Security Analyst, picking up a choice from a restricted set of values (something very similar to "Status" field).

I know that I can add a "table attribute" using incident review customization page, but:
- incident category is not associated to a field in originating event (it is classified by Security Analyst);
- incident category values must be selected using a drop-down, from a restricted set of values.

Do you have any suggestions?

Thank you!

gworkun
Explorer

Would love to see if this ever gets added or is a way to add editable fields to notables.

0 Karma

alekwisnia
Explorer

+1 if anyone finds a solution. This is a must-have feature of SIEM - if anyone wants to report accordingly to NIST or ENISA standards of incident classification.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...