Re: Need to pull all the data from the investigati...

ajaylowes · ‎03-19-2019

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

For starters, i need to pull the information from the investigation panel so that i can run the python script to push the data to the API.

LukeMurphey · ‎03-19-2019

I wrote a blog that describes how to do this: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html

See also the docs here: https://docs.splunk.com/Documentation/ES/latest/API/NotableEventAPIreference

ajaylowes · ‎03-26-2019

@LukeMurphey For some strange reason, i dont see any event_id in my notable index.
Secondly, i want to fetch the notable info(not update the notable).

Can you please help me out

lakshman239 · ‎03-26-2019

if you run the notable macro search, you should see rule_id and event_id [ they are the same fields]

`notable` | table _time , source, event_id, rule_id

lakshman239 · ‎03-19-2019

Thanks @LukeMurphey for the links, but not seeing info related to Investigations performed against notables. Am I missing something?

LukeMurphey · ‎03-19-2019

I might have mistakenly assumed that "investigation" was a reference to a notable. If so, then my answer is incorrect.

@ajaylowes: could you clarify if you mean a notable event (what you see on Incident Review) or an investigation (what you see on the "Investigations" page)?

ajaylowes · ‎03-23-2019

@LukeMurphey This is what we see on the "investigation" page

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life