Splunk Enterprise Security

Need a help with workflow action or notable event contribution Events

satyaallaparthi
Path Finder

Hello,

We created a notable event for DLP which creating

Contributing Events:
DLP Drilldown for 652837

when ever I click on DLP drill down for incident.. that is taking to splunk search and search for the who dlp web link in splunk search where I am not getting anything..

how can I create a notable event to link that with the google search instead of splunk search..
https://dlp/ProtectManager/EndpointIncidentDetail.do?value(variable_1)=incident.id&value(operator_1)...

and I created a workflow action but no luck. I am attaching my both workflow actions and notable event screen shot.. Please do help me with that.

Any help would be great.

Thanksalt text

0 Karma
1 Solution

solarboyz1
Builder

The drill-down field of a notable is expecting splunk search syntax, you can't reference a workflow.

Since your workflow has been created, you should see it available as a drop-down on the actions menu for the event on the incident review page.

Additionally, if you drill-in to the notable, the workflow should be available in action menu for the incident_id field.

As far as I know, you cannot specify and external link or workflow as a drill-down.

View solution in original post

solarboyz1
Builder

The drill-down field of a notable is expecting splunk search syntax, you can't reference a workflow.

Since your workflow has been created, you should see it available as a drop-down on the actions menu for the event on the incident review page.

Additionally, if you drill-in to the notable, the workflow should be available in action menu for the incident_id field.

As far as I know, you cannot specify and external link or workflow as a drill-down.

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.