Splunk Enterprise Security

Incident Review Dashboard incidents storage

coolwater77
Explorer

As I understand the splunk app for Enterprise Security creates a number of TSIDX namespaces that are used to store summary statistical data used by the dashboards and correlation searches throughout the app. And I guess the limit for the length of time that namespaces are retained is specified in the $SPLUNK_HOME/etc/apps//default/tsidx_retention.conf file.

The only available namespace that i see for notable events is the "sa_notables" I am trying to understand if this is the namespace that the incident review dashboard uses to store all its incidents and also would like to know if all the tickets that are managed by the incident review dashboards are also stored in the same name space and how to setup a retention to store all the tickets that my security operations have worked on

0 Karma

LukeMurphey
Champion

The output from the correlation searches (the notable events) are actually stored in a summary index called "notable". This index is managed by whatever retention policy you have defined for indexes.

The incident review dashboard stores the case statuses and notes in a lookup file (incident_review.csv) which won't get truncated (we keep the status changes forever).

BTW: You are correct, tsidx_retention.conf is used to limit the size of the TSIDX namespaces.

LukeMurphey
Champion

Depends what kind of access you are talking about.

The Incident Review Audit page in ES provides a view for looking at the contents.

On the file system, it is stored in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv.

You can also do a search to get back the contents:

| incident_review

0 Karma

coolwater77
Explorer

Thank you . How can I access the incident_review.csv file from the ES App.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...