Splunk Enterprise Security

Is it possible to generate a "ticket number" style reference for a notable event?

gmrtn14
New Member

I'd like each notable event that is raised in ES to have a unique "ticket number" style reference, automatically incrementing as events are raised - along the same kind of lines as ticket reference numbers that are created in systems like ServiceNow when a ticket is raised.

I appreciate that the event_id field is a unique reference for each notable but it's not user friendly enough to be used as a point of reference between multiple analysts

Is there a way to achieve what I am looking for?

0 Karma

hazekamp
Builder

For now, I would check out the "Share Notable Event" action in the Actions dropdown per notable event. This produces direct hyperlinks to the notable event with a copy-clipboard option. While not a "ticket number", this link can be distributed in digital-friendly ways:

https://server:8000/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=rule...

alt text

tezkpk
Engager

You could build a lookup process, which would link the event_id to a more user-friendly ticket number. I am sure that it could be automated with a python script, or some other form of scripting.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...